Eddy Nigg wrote: > From what I've heard about such practices is, that the PKX file is > password protected and delivered by simple email. But obviously anybody > getting hold of the mail and file can easily brute-force attack it with > a simple script. > > I think this is the issue Nelson is addressing. Receiving a PKX file > from a CA web site doesn't really involve the same risk.
I'm unclear on what you're saying here: Are you saying that sending a copy of the PKCS12 file to a user via email is less secure than having the user go to the web site and retrieve it himself? But if the CA tells the user where to download the PKCS12 file, and sends those instructions via email, I'm not sure what the difference would be -- someone could intercept the email and then download it also. (Although CAs could presumably detect the "double download" case and at least be aware that something non-standard was going on.) Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
