dual-use digital signature vulnerabilityastiglic at okiok.com
Ian Grigg
iang at systemics.com
Tue Jul 27 04:28:51 EDT 2004
Peter Gutmann wrote:
> A depressing number of CAs generate the private key themselves and mail out to
> the client. This is another type of PoP, the CA knows the client has the
> private key because they've generated it for them.
It's also cost-effective. The CA model as presented
is too expensive. If a group makes the decision to
utilise the infrastructure for signing or encryption,
then it can significantly reduce costs by rolling out
from the centre.
I see this choice as smart. They either don't do it
at all, or they do it cheaply. This way they have a
benefit.
(Then, there is still the option for upgrading to self-
created keys later on, if the project proves successful,
and the need can be shown.)
As a landmark, I received my first ever correctly
signed x.509 message the other day. I've yet to find
the button on my mailer to generate a cert, so I could
not send a signed reply. Another landmark for the
future, of course.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list