dual-use digital signature vulnerabilityastiglic at okiok.com

Ian Grigg iang at systemics.com
Tue Jul 27 04:28:51 EDT 2004


Peter Gutmann wrote:

> A depressing number of CAs generate the private key themselves and mail out to
> the client.  This is another type of PoP, the CA knows the client has the
> private key because they've generated it for them.

It's also cost-effective.  The CA model as presented
is too expensive.  If a group makes the decision to
utilise the infrastructure for signing or encryption,
then it can significantly reduce costs by rolling out
from the centre.

I see this choice as smart.  They either don't do it
at all, or they do it cheaply.  This way they have a
benefit.

(Then, there is still the option for upgrading to self-
created keys later on, if the project proves successful,
and the need can be shown.)

As a landmark, I received my first ever correctly
signed x.509 message the other day.  I've yet to find
the button on my mailer to generate a cert, so I could
not send a signed reply.  Another landmark for the
future, of course.

iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list