Full Disclosure mailing list archives
Re: PGP vs. certificate from Verisign
From: Jason <security () brvenik com>
Date: Sat, 10 May 2003 16:15:50 -0400
Steve Poirot wrote:
I'm 98% sure that the key pair is generated on the client machine and that just the public key is transmitted to the CA. The reason I say 98% instead of 100% is that it's possible that a CA just makes it look like that's what's happening. This could be verified by sniffing the session. Steve Poirot
It is not possible when properly implemented for the CA to make it look like you generated your private key when it ( the CA ) actually did, the resulting certificate would not validate against your previously generated keypair. In the case of an implementation faulire you would have to verify this... which is what you should _always_ do with _proper_ certificates since they can be legally binding. I know this to be the case in the US and Europe at least.
There have been cases however where it is possible to cause a certificate to look like a trusted issuing authority after import when it should have been an end entity, this would allow for inferred trust without a warning but that is for a different time...
[snip] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- PGP vs. certificate from Verisign Kamal Habayeb (May 09)
- Re: PGP vs. certificate from Verisign Valdis . Kletnieks (May 09)
- Re: PGP vs. certificate from Verisign Shawn McMahon (May 09)
- Re: PGP vs. certificate from Verisign Scott M. Algatt (May 09)
- Re: PGP vs. certificate from Verisign Anne Carasik (May 09)
- Re: PGP vs. certificate from Verisign Georgi Guninski (May 10)
- RE: PGP vs. certificate from Verisign Kamal Habayeb (May 10)
- Re: PGP vs. certificate from Verisign Steve Poirot (May 10)
- Re: PGP vs. certificate from Verisign Derek Atkins (May 10)
- Re: PGP vs. certificate from Verisign Ben Laurie (May 10)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)
- [OFFTOPIC] PGP vs. certificate from Verisign Kurt Seifried (May 10)
- Re: [OFFTOPIC] PGP vs. certificate from Verisign yossarian (May 10)
- Re: PGP vs. certificate from Verisign Valdis . Kletnieks (May 09)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign Georgi Guninski (May 11)
- <Possible follow-ups>
- RE: PGP vs. certificate from Verisign Evans, TJ (BearingPoint) (May 09)
- Re: PGP vs. certificate from Verisign yossarian (May 09)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 09)