lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: ben at algroup.co.uk (Ben Laurie)
Subject: PGP vs. certificate from Verisign

Steve Poirot wrote:
> I'm 98% sure that the key pair is generated on the client machine and
> that just the public key is transmitted to the CA.  The reason I say 98%
> instead of 100% is that it's possible that a CA just makes it look like
> that's what's happening.  This could be verified by sniffing the session. 

Well, the amusing thing is you can do it either way. As it happens
neither Thawte nor Verisign (yeah, OK, they're the same thing) have sold
out enough to generate private keys.

I still hear people telling me occasionally that there are sound reasons
for having the CA generate the private key. Strangely they never quite
get round to specifying what those reasons are.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ