| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3EBD5B1C.5040603@algroup.co.uk> From: ben at algroup.co.uk (Ben Laurie) Subject: PGP vs. certificate from Verisign Steve Poirot wrote: > I'm 98% sure that the key pair is generated on the client machine and > that just the public key is transmitted to the CA. The reason I say 98% > instead of 100% is that it's possible that a CA just makes it look like > that's what's happening. This could be verified by sniffing the session. Well, the amusing thing is you can do it either way. As it happens neither Thawte nor Verisign (yeah, OK, they're the same thing) have sold out enough to generate private keys. I still hear people telling me occasionally that there are sound reasons for having the CA generate the private key. Strangely they never quite get round to specifying what those reasons are. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Powered by blists - more mailing lists