lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <sjm1xz6d1hs.fsf@kikki.mit.edu>
From: derek at ihtfp.com (Derek Atkins)
Subject: PGP vs. certificate from Verisign

This very much depends on the policy in place.  Generally a client
will generate an X.509 certificate request and send that to the CA.
The CA signs the certreq, generating a certificate which is returned
to the client.  At no point in this protocol is the private key sent
to the CA.

Some CAs will perform a challenge-response verification protocol to
verify that the client has the private key.  This involves sending a
challenge to the client and asking them to sign the challenge with
their private key.  The client returns the signed challenge, thereby
proving access to the private key.  Again, at no point is the private
key sent to the CA.

On the other hand, there are some places where the certificate and
private key are both issued to the user.  I would avoid those like the
plague, but some places do it that way.  Personally I've never seen an
implementation that uses this mechanism, but I've heard of it.

Having written multiple CA systems (both for X.509 and PGP), I've
always just dealt with certificate requests.  I've never required
access to private key material.

-derek

Steve Poirot <poirotsj@....net> writes:

> I'm 98% sure that the key pair is generated on the client machine and
> that just the public key is transmitted to the CA.  The reason I say
> 98% instead of 100% is that it's possible that a CA just makes it look
> like that's what's happening.  This could be verified by sniffing the
> session.  Steve Poirot
> 
> Georgi Guninski wrote:
> 
> > I am not an expert, but AFAIK at some time the key issuer have your
> > *private* key because they issue the key. I am not comfortable
> > someone else having my private key no matter if they claim they
> > don't keep it.
> >
> > Georgi
> >
> > Kamal Habayeb wrote:
> >
> >> Greetings,
> >>
> >> I'm trying to get some expert opinions on which is better.  Using
> >> Outlook
> >> 2002, would it be better to use PGP to encrypt messages or use the
> >> built-in
> >> option with a digital certificate from Verisign (or some other CA)?
> >>
> >> Thanks,
> >>
> >> Kamal
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.netsys.com/full-disclosure-charter.html
> >>
> >>
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@...fp.com             www.ihtfp.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ