Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PGP vs. certificate from Verisign

From: Derek Atkins <derek () ihtfp com>
Date: 10 May 2003 15:51:11 -0400
This very much depends on the policy in place.  Generally a client
will generate an X.509 certificate request and send that to the CA.
The CA signs the certreq, generating a certificate which is returned
to the client.  At no point in this protocol is the private key sent
to the CA.

Some CAs will perform a challenge-response verification protocol to
verify that the client has the private key.  This involves sending a
challenge to the client and asking them to sign the challenge with
their private key.  The client returns the signed challenge, thereby
proving access to the private key.  Again, at no point is the private
key sent to the CA.

On the other hand, there are some places where the certificate and
private key are both issued to the user.  I would avoid those like the
plague, but some places do it that way.  Personally I've never seen an
implementation that uses this mechanism, but I've heard of it.

Having written multiple CA systems (both for X.509 and PGP), I've
always just dealt with certificate requests.  I've never required
access to private key material.

-derek

Steve Poirot <poirotsj () gci net> writes:


I'm 98% sure that the key pair is generated on the client machine and
that just the public key is transmitted to the CA.  The reason I say
98% instead of 100% is that it's possible that a CA just makes it look
like that's what's happening.  This could be verified by sniffing the
session.  Steve Poirot

Georgi Guninski wrote:


I am not an expert, but AFAIK at some time the key issuer have your
*private* key because they issue the key. I am not comfortable
someone else having my private key no matter if they claim they
don't keep it.

Georgi

Kamal Habayeb wrote:


Greetings,

I'm trying to get some expert opinions on which is better.  Using
Outlook
2002, would it be better to use PGP to encrypt messages or use the
built-in
option with a digital certificate from Verisign (or some other CA)?

Thanks,

Kamal
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek () ihtfp com             www.ihtfp.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: