> MFPA via Gnupg-users wrote in <1171562612.20191022004056@my_localhost_AR>: > |On Sunday 20 October 2019 at 3:20:41 PM, in > |<mid:87a79vsdl2....@mat.ucm.es>, Uwe Brauer via Gnupg-users wrote:- > | > |> I just found that > |> https://extrassl.actalis.it/portal/uapub/doProcess > | > |> Provides a free smime certificate. > ... > |> does somebody know whether there is a security > |> breach, the way this > |> certificate was generated? > | > |I'm no expert but their Certificate Policy reads to me that the > |private key is compromised right from the start. I think usually the
> I think it is common that S/MIME and SSL certificates are > delivered via PKCS12, including the private key. You then seem to > extract the individual things like I think this is a severe security breach. The private key should never leave your computer. > $ openssl pkcs12 -in cert.p12 -out certpem.pem -clcerts -nodes > $ # Alternatively > $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts -nokeys > $ openssl pkcs12 -in cert.p12 -out key.pem -nocerts -nodes > |keys are generated on the subscriber's device and only the public key > |goes to the CA to be certified. > This is possible via CACert.org, at least still (out of money). > You create your local signing request, and the private key.pem never > leaves your own box: > $ openssl req -nodes -newkey rsa:4096 -keyout key.pem -out creq.pem > (Ensure all email addresses of desire are included in the web > form.) > Unfortunate that besides Comodo there seems no other provider of > free S/MIME certificates. You can only self-sign, and provide Comodo does not offer this any more. At the beginning of the year they reduced the smime cerificates validity from 1 year to 1 month, now they withdraw it all together. > a safe transport for a certificate to compare with. Which is why > PGP is so nice. Well yes sort of, but I can tell you from my own experience PGP is more for hackers while smime is not. I have convinced 6 of my friends to use smime, but only one to pgp. Self signed smime certificates are basically useless, because then you have to tell the other user either to install a root certificate or to trust the certificate, in which case smime looses its convenience (compared to pgp)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users