Re: how to best create a self-signed e-mail certificate and whichMIME type to use it when putting it on a personal web page?

[Ian McGreer]

certutil is available as a binary at ftp.mozilla.org/pub/security/nss/releases. It is available outside of the U.S. provided you are not in an export-controlled state or on the watch list, see http://www.mozilla.org/projects/security/pki/src/download.html


Regarding the discussion in the bug, you are making philosphical objections about the nature of PKI. You bring up the usual complaint the PKI-is-hard-so-why-bother, and relate the amount of effort you had to invest in getting a cert from a well-known CA that includes your name. You then compare this to PGP, where one is not required to pay $20 to a notary public in order to build trust.

These objections are all well and good, but you move on to discuss a remedy by which everyone has self-signed email certs created with certutil (or similar utility) and imported into the browsers/mailers of would-be senders. Thus the distribution model is similar to PGP, and the "enrollment" model is also similar (in that it's DIY). Essentially, you are trying to graft ideas from PGP onto PKI.

There is simply no security in that. PGP works on the "web-of-trust" model, but with PKI you can have only one signer of your certificate. In fact, in the model you suggest, that one signer would be yourself. *Anyone* can create a self-signed cert with any name they choose in it. How do you know which one (if any) is authentic?

You make one suggestion, that these certs originate from personal homepages. The security of DNS/http/etc. aside, once someone has downloaded your cert, how do they continue to verify its authenticity? How does he know an attacker has not surreptitously replaced it with another cert, containing the same name, serial number, etc.? The only secret your actual cert represents is the private key, thus I suppose you could sign some text and publish it on your website. But for any semblance of security (again, assuming your website itself can be trusted), a sender must verify that text before using the cert.

In PKI, this is done by verifying the cert's chain to a trusted root. An attacker cannot replace your cert with another without breaking some part of PKI. In your model, all that is required is for the attacker to get his cert into the sender's machine.

-Ian