Dr. Stephen Henson escribió:
On Mon, Jul 28, 2008, Phibo wrote:
Is it possible for a certificate authority (CA) signing my SSL certificate
signing request (csr) to decrypt my own SSL sessions ? Or, in other words,
in a csr are there enough infos about my private key to be able to intercept
SSL sessions encrypted by my public key ?
It can't decrypt anything using your public key no because the CSR only
contains details of your public key and a digital signature.
A CA could in theory perform a MITM attack, by issuing itself a certificate
with your identity and containing a public key to which it has the private
key.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
I want to colaborate. RSA algorith with a 1024 bits key is invulnerable,
while you keep your private key secure. If your keys have been generated
with RSA algorithm, your ca will need millions of computers working at
the same time, many many years. RSA Laboratories is always trying to
hack their own algorithm. They have achieved an attack with 700-800 bits
of key (really modulus, which also is public). Try to factorize a number
of 1024 bits and find the two primus (primus?....non divisible) numbers
that generated the modulus :)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
