Eddy Nigg wrote:
>  From what I've heard about such practices is, that the PKX file is 
> password protected and delivered by simple email. But obviously anybody 
> getting hold of the mail and file can easily brute-force attack it with 
> a simple script.
> 
> I think this is the issue Nelson is addressing. Receiving a PKX file 
> from a CA web site doesn't really involve the same risk.

I'm unclear on what you're saying here: Are you saying that sending a 
copy of the PKCS12 file to a user via email is less secure than having 
the user go to the web site and retrieve it himself? But if the CA tells 
the user where to download the PKCS12 file, and sends those instructions 
via email, I'm not sure what the difference would be -- someone could 
intercept the email and then download it also. (Although CAs could 
presumably detect the "double download" case and at least be aware that 
something non-standard was going on.)

Frank

-- 
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to