RE: Stealing certificates

[Rygg Christian <christian.rygg () edb com>]

Hi,

I think I was a bit inaccurate in my mail. I meant to ask about stealing a
certificate (which isn't actually stealing, I know) AND the corresponding
private key. I'm just used to working with PKCS#12 files, and calling them
certificates, even though I know that's not accurate, as they contain the
private key as well. Sorry about the mixing of names/expressions :)

C Rygg

-----Original Message-----
From: Adrian McCullagh [mailto:Adrian.McCullagh () freehills com]
Sent: Friday, November 22, 2002 2:16 AM
To: Rygg Christian
Cc: 'SECURITY-BASICS () SECURITYFOCUS COM'
Subject: Re: Stealing certificates



Rygg,

I am confused by your request for informatiom.

Firstly, the private key is not stored in a certificate only the public key
is embodied in a certificate.

Secondly, it does not matter that someone can so called "steal" a
certificate.  The certificate is meant to be copied and exposed to as many
organisations as possible.

The issue of inserting a fake certificate is very problematical and easy to
achieve.  Especially as the procedure of inserting Certificates has been
published by MS.

Dr. Adrian McCullagh Ph. D.
Solicitor
Freehills

Direct 61 7 3258 6603
Telephone 61 7 3258 6666
Facsimile 61 7 3258 6444
http://www.freehills.com

--------------------------------------------------------------------
FREEHILLS
This email is confidential.  If you are not the intended  recipient,
you must not disclose  or  use the  information  contained in it. If
you have received this email in error,  please notify us immediately
by return email and delete the document.
Freehills is not responsible for any changes made to a document other
than those made by Freehills or for the effect of the changes on the
document's meaning.

Liability is limited by the Solicitors' Limitation of Liability Scheme,
approved under the Professional Standards Act 1994 (NSW)
--------------------------------------------------------------------