> The private key is "everything."
...
> ... signed by a commercial CA, you don't send them the private
key ...
YES!
-- R; <><
On 11/18/25 11:20 AM, Charles Mills wrote:
On Tue, 18 Nov 2025 08:15:48 -0500, Rick Troth <[email protected]> wrote:
<snip>
But I have to point out that retaining your own data (keeping your
cookies in-house) is wise.
<snip>
Let me make one important point about keeping your data at home, relative to
commercial certificate authorities.
The certificate "thing" has two parts: the certificate itself, and the private
key that corresponds to the certificate.
The certificate itself is "nothing." It is sent out, unencrypted, at the start
of every TLS session. In my certificate class I have a slide with the certificate for
WellsFargo.com on it. (Actually half of the certificate; it doesn't all fit on one
slide.) Did I steal it? Is my showing it a risk to Wells Fargo? No, they send it out
unencrypted at the start of every session anyway.
The private key is "everything."
And here's the point: when you get a certificate signed by a commercial CA, you
don't send them the private key. They never have the private key. It stays
safely at home. All they have is the public part. (This assumes that you send
them a CSR, the output of RACDCERT GENREQ. Most CA's will in fact generate the
private key if you want, but that's not how RACF encourages you to do things.)
So I see very little risk -- I am going to go out on a limb and say no risk -- in sending
CSRs off "into the cloud." Certificates go out into the cloud anyway every time
you start a session.
Charles
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
--
-- R; <><
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
