Full Disclosure mailing list archives
Re: PGP vs. certificate from Verisign
From: Derek Atkins <derek () ihtfp com>
Date: 10 May 2003 15:51:11 -0400
This very much depends on the policy in place. Generally a client will generate an X.509 certificate request and send that to the CA. The CA signs the certreq, generating a certificate which is returned to the client. At no point in this protocol is the private key sent to the CA. Some CAs will perform a challenge-response verification protocol to verify that the client has the private key. This involves sending a challenge to the client and asking them to sign the challenge with their private key. The client returns the signed challenge, thereby proving access to the private key. Again, at no point is the private key sent to the CA. On the other hand, there are some places where the certificate and private key are both issued to the user. I would avoid those like the plague, but some places do it that way. Personally I've never seen an implementation that uses this mechanism, but I've heard of it. Having written multiple CA systems (both for X.509 and PGP), I've always just dealt with certificate requests. I've never required access to private key material. -derek Steve Poirot <poirotsj () gci net> writes:
I'm 98% sure that the key pair is generated on the client machine and that just the public key is transmitted to the CA. The reason I say 98% instead of 100% is that it's possible that a CA just makes it look like that's what's happening. This could be verified by sniffing the session. Steve Poirot Georgi Guninski wrote:I am not an expert, but AFAIK at some time the key issuer have your *private* key because they issue the key. I am not comfortable someone else having my private key no matter if they claim they don't keep it. Georgi Kamal Habayeb wrote:Greetings, I'm trying to get some expert opinions on which is better. Using Outlook 2002, would it be better to use PGP to encrypt messages or use the built-in option with a digital certificate from Verisign (or some other CA)? Thanks, Kamal _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- Derek Atkins Computer and Internet Security Consultant derek () ihtfp com www.ihtfp.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- PGP vs. certificate from Verisign Kamal Habayeb (May 09)
- Re: PGP vs. certificate from Verisign Valdis . Kletnieks (May 09)
- Re: PGP vs. certificate from Verisign Shawn McMahon (May 09)
- Re: PGP vs. certificate from Verisign Scott M. Algatt (May 09)
- Re: PGP vs. certificate from Verisign Anne Carasik (May 09)
- Re: PGP vs. certificate from Verisign Georgi Guninski (May 10)
- RE: PGP vs. certificate from Verisign Kamal Habayeb (May 10)
- Re: PGP vs. certificate from Verisign Steve Poirot (May 10)
- Re: PGP vs. certificate from Verisign Derek Atkins (May 10)
- Re: PGP vs. certificate from Verisign Ben Laurie (May 10)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)
- [OFFTOPIC] PGP vs. certificate from Verisign Kurt Seifried (May 10)
- Re: [OFFTOPIC] PGP vs. certificate from Verisign yossarian (May 10)
- Re: PGP vs. certificate from Verisign Valdis . Kletnieks (May 09)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign Georgi Guninski (May 11)
- <Possible follow-ups>
- RE: PGP vs. certificate from Verisign Evans, TJ (BearingPoint) (May 09)
- Re: PGP vs. certificate from Verisign yossarian (May 09)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 09)