Full Disclosure mailing list archives
[OFFTOPIC] PGP vs. certificate from Verisign
From: "Kurt Seifried" <listuser () seifried org>
Date: Sat, 10 May 2003 13:59:34 -0700
This is not on topic, hence the [OFF TOPIC]. At no point should the CA EVER have your private key(*). If this were the case then why are we using public/private key crypto.You send YOUR PUBLIC key to the CERTIFICATE AUTHORITY who signs it with THEIR PRIVATE key and sends it back to you. Of course it is possible they have messed around with the software so that your private key is sent, but I find this unlikely unless there is some security hole in your local software (hint: MS crypto provider would let you know something is trying to access your key). If you don't trust them setup a private/public key, export the public key and send that to the CA. This whole discussion is INCREDIBLY OFF TOPIC for full-disclosure, unless someone has news/proof that a certificate authority is gathering private keys or something similar. * I'm sure there are some extremely odd corner cases but I can't think of them first thing in the morning. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: PGP vs. certificate from Verisign, (continued)
- Re: PGP vs. certificate from Verisign Shawn McMahon (May 09)
- Re: PGP vs. certificate from Verisign Scott M. Algatt (May 09)
- Re: PGP vs. certificate from Verisign Anne Carasik (May 09)
- Re: PGP vs. certificate from Verisign Georgi Guninski (May 10)
- RE: PGP vs. certificate from Verisign Kamal Habayeb (May 10)
- Re: PGP vs. certificate from Verisign Steve Poirot (May 10)
- Re: PGP vs. certificate from Verisign Derek Atkins (May 10)
- Re: PGP vs. certificate from Verisign Ben Laurie (May 10)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)
- [OFFTOPIC] PGP vs. certificate from Verisign Kurt Seifried (May 10)
- Re: [OFFTOPIC] PGP vs. certificate from Verisign yossarian (May 10)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign Georgi Guninski (May 11)
- Re: PGP vs. certificate from Verisign yossarian (May 09)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)