lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3EBD5C27.7080001@brvenik.com>
From: security at brvenik.com (Jason)
Subject: PGP vs. certificate from Verisign

Georgi Guninski wrote:
> I am not an expert, but AFAIK at some time the key issuer have your 
> *private* key because they issue the key. I am not comfortable someone 
> else having my private key no matter if they claim they don't keep it.
> 
> Georgi
> 

Not in the normal operations of PKI. Briefly, in the classic case the 
private key is generated at the requesting system and a public key is 
sent to the issuing authority as a cdertificate signing request for 
signing. The issuing authority does some validation of stuff and then 
returns the public key in the form of a signed certificate. This 
prevents tampering of the contents of the complete certificate by 
providing a signature created with the private key of the issuer, the 
public key of the issuer can then be used to verify this signature.

There are implementations that will do key escrow and they are all about 
being able to recover intellectual properties by the legal owners in the 
case that the encrypting authority (user) refuses or is unable to 
provide them. Basically this is for corporations that have PKI and use 
it to recover from any number of cases that can make it impossible for 
an employee to decrypt information. Examples would be a car accident 
that takes the life of the employee or termination...

In this case there are safeguards that are implemented to ensure that 
the recovery of a key is only possible when justified. It is the 
equivalent of aligning the stars and planets correctly and then proving 
that there is a true eclipse even though it should not be happening.

-J

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ