It is not the connection I was referring to but the environment that was generating the certs. Was the original user attempting to store his client's generated key pairs on his server? Then that server better be secured. Perhaps I wasn't clear on that point. However, I personally would never use key pairs generated by another to be used for identification purposes.
Finally, sniffing/replaying a csr is pointless. You still don't have access to the private key to decrypt messages intended for me if that key was generated by me and remains secured by me. Nor would any CA worth it's salt sign a csr without the proper verification (and payment!) method. As an example, Verisign issues unique identifiers for each csr to an authorized requestor prior to granting the signing request. Once used, a replay is easily detected. -----Original Message----- From: POLIVKA-ROHRER, KEITH W (AIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 06, 2001 5:53 PM To: '[EMAIL PROTECTED]' Subject: RE: Cryptology Questions Regarding key distribution, no one but the owner should have access to the private key. What reason would the server have for sending a client their public AND private key? To ensure confidentiality and integrity, the key pair should (must?) be generated by the client. It is the job of the CA to sign the certificate (which contains among other things the owner's public key). The private key itself is not contained within the cert. You should read up on certificate requests to clarify some issues. For whatever reason, if you are attempting to generate and supply both keys to you clients, you have to have a very secure environment. More problematic is that, because you have both keys, I am not guaranteed that someone at your company couldn't impersonate me if I were a client... Riddle me this, then: If the connection isn't secure enough to send the (encrypted) private key across, why is it secure enough for the credentials the server should require before signing a CSR? Alternately stated, it's much easier to sniff and replay the certificate request than to sniff the private key and decrypt it. Keith ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ***************************************************************** DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]