On Tue, 13 Jun 2000, Dr Stephen Henson wrote:
> [EMAIL PROTECTED] wrote:
> >
> > Hello and thanks for reading this:
> >
> > I use OpenSSL 0.9.5a, Red Hat Linux 6.2, Intel platform.
> >
> > I'm trying to produce PKCS#12 files to be able to keep the all generation
> > process under my control and to distribute only one file (BTW: why is it
> > taken for such a security bug?). I do it the following way:
> >
>
> The reason this is frowned upon is that the certificate authority then
> has a copy of the users private key and can read any encrypted mail or
> forge their signature.
>
> Other techniques like KEYGEN generate the private key on the browser and
> never reveal it to the CA.
Another reason is that the private key in the PKCS12 is symmetrically
encrypted, so you run into the traditional key exchange problems when
trying to deliver the PKCS12 to the end user: How do you get the
symmetric key to the end user securely? The public key mechanism avoids
this problem.
yuji
----
Yuji Shinozaki Computer Systems Senior Engineer
[EMAIL PROTECTED] Advanced Technologies Group
(804)924-7171 Information Technology & Communication
http://www.people.virginia.edu/~ys2n University of Virginia
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
