John P. Wack wrote:
>
> I don't like the way we give out certificates, but what we do is generate
> the certificate with a Netscape browser on a dedicated system, we import
> the certificate into that browser, then we export it to a file and give
> that file to the user. The reason I don't like it is because of the
> privacy aspect, however the plus side is that if users forget their
> passwords or lose their certificate file, we can restore it for them.
> And, this is a big plus since Netscape browsers handle CRLs poorly and I
> haven't found that MSIE or Outlook 98 handle them at all.
>
> So, we generate a .p12 file using 1024-bit keys and all the defaults - no
> SHA-1. Users have been able to import them into MSIE as long as MSIE
> trusts the Netscape CA first, which we do with the cacert.cac work-around
> suggested by Netscape. Outlook 98, I have to say, provides the most
> user-friendly method for looking up other's certificates.
>
Does this "dedicated" PC then have everyones private key and certificate
on it, protected only by the inadequate security of the Netscape
database? I hope its got a *very* good password!
Also importing keys into MSIE and/or Outlook express results in zero
security: I hope you enable the UI after you import them otherwise...
No I wouldn't be happy about doing things that way either in a large
organisation: "large" in this sense meaning more than one person :-)
Oh incidentally your CA certificate is duff. It will screw up anyones
Netscape certificate database you send signed mail to: like you just did
to mine. You need to add a basicConstraints extension with cA set to
true into it.
There should be info in the Netscape CA docs about how to do that. Its
only because of bugs in the CA detection of MSIE, Outlook and Netscape
that it actually works at all.
I've described the problem in my PKCS#12 FAQ but you can't use ca-fix
because you probably can't get access to the CAs private key (and you
shouldn't do it that way anyway).
Steve.
--
Dr Stephen N. Henson.
UK based freelance Cryptographic Consultant. For info see homepage.
Homepage: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED]
PGP key: via homepage.
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
