Re: PGP vs. certificate from Verisign

[Jason <security () brvenik com>]

Georgi Guninski wrote:
> I am not an expert, but AFAIK at some time the key issuer have your 
> *private* key because they issue the key. I am not comfortable someone 
> else having my private key no matter if they claim they don't keep it.
>
> Georgi

Not in the normal operations of PKI. Briefly, in the classic case the 
private key is generated at the requesting system and a public key is 
sent to the issuing authority as a cdertificate signing request for 
signing. The issuing authority does some validation of stuff and then 
returns the public key in the form of a signed certificate. This 
prevents tampering of the contents of the complete certificate by 
providing a signature created with the private key of the issuer, the 
public key of the issuer can then be used to verify this signature.

There are implementations that will do key escrow and they are all about 
being able to recover intellectual properties by the legal owners in the 
case that the encrypting authority (user) refuses or is unable to 
provide them. Basically this is for corporations that have PKI and use 
it to recover from any number of cases that can make it impossible for 
an employee to decrypt information. Examples would be a car accident 
that takes the life of the employee or termination...

In this case there are safeguards that are implemented to ensure that 
the recovery of a key is only possible when justified. It is the 
equivalent of aligning the stars and planets correctly and then proving 
that there is a true eclipse even though it should not be happening.

-J


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html