> I'm curious. You say your CA gave you a PKCS12 file with
> a cert in it, *and* a private key in it? Whose private key
> did they give you? If it's yours, then you've just opened a huge security
> hole by allowing them access to your private key. If it's someone
> else's, can you send it to me so I can forge some documents?
This CA generates the full key pair for me, I didn't give
them my private key. They make a PKCS12 file available
for download which contains the private key, and I have been
able to create a certificate file out of it using openssl,
so in some form or other all the fields in that certificate
are present in the PKCS12 file. Of course it is a bit of
a security hole because they generate the whole key pair,
not just sign a public key I give them. But that is the
case in several corporate PKIs (at least I know of one real
example in a big German corporation), and it is a necessary
hole because employees might lose their private keys, and
the company must be able to access the data employees are
sent, encrypted with their public keys, even after such an
event. I must trust the CA that gave me this certificate of
course. But noone else can see the private key because it is
of course protected with a password of my choice.
The attraction of this service is that I am talking about
a freemail provider, their policy is that you register with
them and they send you a letter with an "activator" key which
I then enter on their web page, and that is enough for them
to trust my identity (I did receive their letter) and issue
me with a certificate. No cost for me at all. And I get a
nice "real world" example to study certificates and PKI and
openssl, which I need to do.
Sebastian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
