Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- certificate distribution
February 17, 2007, 5:41 am
rate this thread
Maybe I should have titled this "key distribution", but I think this
is a bit different. I don't even know if this is a good place for it,
but I can't really find much discussion of it anywhere. Any ideas,
like where else to ask, would be appreciated.
I use a self signed certificate for digital signing (I haven't
ventured into encryption yet) and so far have sent it to a few friends
to get a sense for how it works. So far, so good: I created a PKCS12
file with OpenSSL, imported into Thunderbird, and then let
Thunderbird package up an S/MIME file that my correspondent's mail
client can unpack, and accept the public certificate, and then after
that we can exchange signed messages. The two mail clients handle all
the nitty gritty of unpacking, storing, and using the certificates.
OK, so first of all I'm trusting OpenSSL and Thunderbird to guard my
private key. I guess I can live with that, but it seems a bit flaky.
But, what if I want to be a little more secure about this, and carry
my certificate around on a memory stick with me, and give it to my
correspondents when I see them? Will the system support this?
I don't want to give anyone else the PKCS12 file I created, since it
contains the private key, right? So can I just carry around a PEM
file, and then either my correspondent ought to be able to import it
directly into the mail client, or convert it into another format with
OpenSSL or some other tool?
Moreover, am I being hopelessly old-fashioned with this? Does the
future belong to Verisign and its friends, and not to someone carrying
around a certificate on his keychain? If I really needed security, of
course it wouldn't work, but I thought it might be fun to harness the
six degrees of separation phenomenon simply by trading keys. We could
all get business cards with our certificates contained in some sort of
RF or magnetic strip on them, and pass them around. Yes, of course I
see the problems with this, but it seemed like it might work for low-
Thanks for any light you can shed.
- Ertugrul Soeylemez
February 19, 2007, 1:01 am
Re: certificate distribution
You're taking a much too complicated approach. Why don't you just use
GnuPG and Enigmail for Thunderbird? This makes things simple.
To the actual problem: Keyservers and trustcenters are good methods to
distribute keys, if there aren't any other possibilities. Otherwise,
it's always best to give you keys away personally.
- Anne & Lynn Wheeler
February 19, 2007, 2:28 am
Re: certificate distribution
old email from early 80s mentioning public key
Date: 05/06/81 13:45:20
5. Security - VNET does not change this. ie Security can be breached
with or without VNET. The favorate IBM watering hole is far less
secure than VM/370 or VNET. eg There are NO read, write, or multi-write
passwords on any mini-disk that I might have confidential info on.
Yes, I know about global passwords, but I also know who has them and
why. ( total of 4 individuals here including myself ).
6. Definite need for Crypt using public and private keys. Sender uses
public key of individual which requires private key of individual to
unlock. This solves the problem of unauthorized persons gaining
access to unread mail files.
... snip ...
little drift, internal network (VNET) was larger than arpanet/internet
until sometime mid-85
misc. other old email mentioning public key
including using CJNTEL on the internal network for public
key server ... recent post
http://www.garlic.com/~lynn/2006w.html#12 more secure communication over the
other old email mentioning CJNTEL
past collected posts mentioning certificateless public key
- » Last Call for Papers: 2007 International Conference on Grid Computing and Applications (G...
- — Previous thread in » General Computer Security