> Hi > On Sunday 20 October 2019 at 3:20:41 PM, in > <mid:87a79vsdl2....@mat.ucm.es>, Uwe Brauer via Gnupg-users wrote:-
> [...] > I'm no expert but their Certificate Policy reads to me that the > private key is compromised right from the start. I think usually the > keys are generated on the subscriber's device and only the public key > goes to the CA to be certified. > https://www.actalis.it/documenti-it/caact-free-s-mime-certificates-policy.aspx > 3.2.2 Proving possession of private key > The private cryptographic key corresponding to the public key > within the certificate is generated by the CA (with a suitable > algorithm, size, etc.) and subsequently sent to the subscriberin > PKCS#12 for-mat[PFX], via email, thereby insuring that the > subscriber does possess the private key.The password needed to > import the PKCS#12 file isprovided to the subscriber out-of-band > (via web), therefore protecting it from unwanted disclosure to > third parties. The CA does not retain such pass-word, so that the > legitimate subscriber –assuming that he/she keeps such password > confidential –remains the only person able to import the PKCS#12. Oops this is really bad. I should have read this. Thanks for pointing it out. I am wondering why they do such a bizarre thing? Maybe it is easier to implement?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users