Correction: even with Client certificate authentication, there is no distribution of any private key to clients; only a client certificate signed with a private key held at the server end.
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Thursday, August 22, 2019 8:06 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: vendor distributes their private key Joel, it's just plain wrong. Others have listed the specifics. It just plain shows they have no clue how certificates work. It would be like if you installed a nice lock on your front door, and then hung the key on a hook outside next to it. You might ask what part of *private* key they are having trouble understanding. Client authentication -- where appropriate -- is goodness. But client authentication requires a separate key for each client (more or less). A client certificate and key "proves" you are the appropriate client. If the key is widely distributed then anyone can "prove" they are you. Client certificates are analogous to passwords. Making the key public would be like making passwords public. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Joel M Ivey Sent: Thursday, August 22, 2019 5:57 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: vendor distributes their private key A vendor has an ftps server for us to connect to from a batch job on zos. Similar setups with vendors have required the vendor to provide their server's public cert chain for import into RACF. This vendor insists on providing not just their server public cert chain but also their private key. First, they provided a password-protected p12 file, describing it as containing the "root, intermediate, and private certs". I requested their public certificate chain only, they sent me a DER file -- with both the server cert and its private key. I have asked them to elaborate on their need to distribute their private key to me, their response has essentially been, that's the way we do it. I'm not comfortable accepting anyone's private key. There has been no mention of "client authentication", and I'm still not sure I'd be comfortable with that config, either. Help me understand two things: 1) what I'm missing as to why any vendor would require me to install their private key on my side when installing the public cert on my side should suffice as in many other instances, and 2) arguments for/against client authentication (not password authentication, but client) in case that is why they're sending me their private key. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
