certificate distribution

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Maybe I should have titled this "key distribution", but I think this
is a bit different.  I don't even know if this is a good place for it,
but I can't really find much discussion of it anywhere.  Any ideas,
like where else to ask, would be appreciated.

I use a self signed certificate for digital signing (I haven't
ventured into encryption yet) and so far have sent it to a few friends
to get a sense for how it works.  So far, so good: I created a PKCS12
file with OpenSSL, imported into Thunderbird, and then  let
Thunderbird package up an S/MIME file that my correspondent's mail
client can unpack, and accept the public certificate, and then after
that we can exchange signed messages.  The two mail clients handle all
the nitty gritty of unpacking, storing, and using the certificates.

OK, so first of all I'm trusting OpenSSL and Thunderbird to guard my
private key.  I guess I can live with that, but it seems a bit flaky.
But, what if I want to be a little more secure about this, and carry
my certificate around on a memory stick with me, and give it to my
correspondents when I see them?  Will the system support this?

I don't want to give anyone else the PKCS12 file I created, since it
contains the private key, right?  So can I just carry around a PEM
file, and then either my correspondent ought to be able to import it
directly into the mail client, or convert it into another format with
OpenSSL or some other tool?

Moreover, am I being hopelessly old-fashioned with this?  Does the
future belong to Verisign and its friends, and not to someone carrying
around a certificate on his keychain?  If I really needed security, of
course it wouldn't work, but I thought it might be fun to harness the
six degrees of separation phenomenon simply by trading keys.  We could
all get business cards with our certificates contained in some sort of
RF or magnetic strip on them, and pass them around.  Yes, of course I
see the problems with this, but it seemed like it might work for low-
stakes security.

Thanks for any light you can shed.

Re: certificate distribution

Quoted text here. Click to load it

You're taking a much too complicated approach.  Why don't you just use
GnuPG and Enigmail for Thunderbird?  This makes things simple.

To the actual problem:  Keyservers and trustcenters are good methods to
distribute keys, if there aren't any other possibilities.  Otherwise,
it's always best to give you keys away personally.


Re: certificate distribution

Thanks, I'll look at those solutions.

Re: certificate distribution

Quoted text here. Click to load it

old email from early 80s mentioning public key

To: wheeler
Date: 05/06/81  13:45:20

 5. Security - VNET does not change this. ie Security can be breached
    with or without VNET.  The favorate IBM watering hole is far less
    secure than VM/370 or VNET. eg There are NO read, write, or multi-write
    passwords on any mini-disk that I might have confidential info on.
    Yes, I know about global passwords, but I also know who has them and
    why. ( total of 4 individuals here including myself ).
 6. Definite need for Crypt using public and private keys. Sender uses
    public key of individual which requires private key of individual to
    unlock. This solves the problem of unauthorized persons gaining
    access to unread mail files.

... snip ...

little drift, internal network (VNET) was larger than arpanet/internet
until sometime mid-85

misc. other old email mentioning public key

including using CJNTEL on the internal network for public
key server ... recent post
http://www.garlic.com/~lynn/2006w.html#12 more secure communication over the

other old email mentioning CJNTEL

past collected posts mentioning certificateless public key

Site Timeline