-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Sunday 20 October 2019 at 3:20:41 PM, in <mid:87a79vsdl2....@mat.ucm.es>, Uwe Brauer via Gnupg-users wrote:- > I just found that > https://extrassl.actalis.it/portal/uapub/doProcess > Provides a free smime certificate. [...] > does somebody know whether there is a security > breach, the way this > certificate was generated? I'm no expert but their Certificate Policy reads to me that the private key is compromised right from the start. I think usually the keys are generated on the subscriber's device and only the public key goes to the CA to be certified. https://www.actalis.it/documenti-it/caact-free-s-mime-certificates-policy.aspx 3.2.2 Proving possession of private key The private cryptographic key corresponding to the public key within the certificate is generated by the CA (with a suitable algorithm, size, etc.) and subsequently sent to the subscriberin PKCS#12 for-mat[PFX], via email, thereby insuring that the subscriber does possess the private key.The password needed to import the PKCS#12 file isprovided to the subscriber out-of-band (via web), therefore protecting it from unwanted disclosure to third parties. The CA does not retain such pass-word, so that the legitimate subscriber –assuming that he/she keeps such password confidential –remains the only person able to import the PKCS#12. And 4.1Certificate Application, Processing and Issuance To apply for a certificate pursuant to this CP, after accepting the quote, the requestor shall fill in and submit aweb-basedrequest formto be found on the CA web site.Before the requestor can actually submit the certificate request form to the CA, he/she must read and accept this Certificate Policy and the Terms & Conditions; both documents are made available for download in the same web form. The requestor’s acceptance is expressed by “point & click”, as allowed by Italian and European legislation on distance contracts. Furthermore, before the certificate request is accepted, the CA shall perform I&A according to §3.2.Upon submission of the certificate request form, the CA shall issue the certificateand send this latter to the Subscriber via email.The certificate is sent to the Subscriber requestor together with the corresponding private key, both bundled into a PKCS#12 file[PFX]. The password needed to decipher the PKCS#12 file is shown to the requestor in the browser, at the end of the certificate request procedure. It is up to the Subscriber to keep that password confidential and protect it from unwanted loss - -- Best regards MFPA <mailto:2017-r3sgs86x8e-lists-gro...@riseup.net> The cure for anything is salt water - sweat, tears, or the sea. -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXa5Apl8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju +hLrAQDX3kiS9p18mUhVAnRBKf7feFGwxuY5AJR4sDXLNLIvaAD9FMxw2WwwSxSf oUu2nNF725xRn2Ntz32fWx1LwrPWpwyJApMEAQEKAH0WIQRSX6konxd5jbM7JygT DfUWES/A/wUCXa5Apl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/71GD/4kRUTdsHkJzBgmNue/KY9DEw5S +LYPZU01uI3f4x+x5ECbXUhb5SmBiENKshhH1OcrGiZAV974scCJF2sjnZUfjHTX IzXVbTKDI51WF1osGcLaHlrykNJ7HoV+qoZXrIUGts8KUipfUqqC9Zq7ZMHlDt/U vjoUQxO9Akj7mBat4nWHO0f2bydULyxGwyLwdOKj3P/BoWQyG6eqHODr9iTceFnM KZY6/Nabc9GO9HIRLQ48vMj+ElJNDefhyjg7P14GwGYRdzTxm1WaLCZNnz5aCfKo rtRDvP6l/KiTTwezkIoBy3/YfwYYXlrJe7aklnhJVLnKGW+gpQrD2MYUztu+9r0J doWEQnk8J6jIX47LaVC5KKoopD0ZSv4FGCSCRioqefVMQttSm5uPqim1zSZFNJBA KIPXMlNbMTpoMvXjWGyYhEhkyg2GJeJeq84Qh9+D2SNCzglO7R1PCR7p/+JAX/Mi CUG4s8MzRFH/9z0fRYXjrxxAX/aDX7hzInkw9Srw1L4n7JRJ5VQ/BO/wGGFFwmcq uaJH4MFINSp6OgUppojGEGJaSLUsdGHVDxcmJMOg1047rjrf78aT1qhK6twSvMpv aRtjZ/NJQDZt3eTdRVcb3aLvYzuha6A/mnSgH8KtrSlBZWRtRZtF+dEnP8o97sHN hRogUjEPkCqkgFWzag== =BJGA -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
