dual-use digital signature vulnerabilityastiglic at okiok.com
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Jul 26 19:53:37 EDT 2004
Richard Levitte - VMS Whacker <levitte at stacken.kth.se> writes:
>Peter, are you talking about generic CAs or in-corporation ones?
Both. Typically what happens is that the CA generates the key and cert and
mails it to the user as a PKCS #12 file, either in plaintext, with the
password in the same email, or occasionally with the password in separate
email. See "How to build a PKI that works" on my home page (direct link at
http://www.cs.auckland.ac.nz/~pgut001/pubs/howto.pdf, Challenge #2 starting on
p.25) for details, including a few sample quotes from users.
>I can definitely see different needs between those.
Actually they both seem to have the same need, it's the least effort to do it
this way. Occasionally you see it dressed up as something else, e.g. "We
don't trust our users to generate the keys properly themselves" (one of those
was from a CA that's distinguished itself through the bugginess of its
software, which makes the comment rather amusing coming from them), but it
almost always boils down to the same thing.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list