Do a search on "public-key encryption" to get an understanding of the
concept. Here's one article:
http://www.nwfusion.com/news/64452_05-17-1999.html
The certificate that you're sent by the certificate authority contains the
public key of the public/private key pair. The private key is stored on
your server. If the public key is intercepted, no harm is done - in fact,
you send the public key out every time someone connects to your secure site.
Make sure you back up the private key, because you cannot recreate it if you
lose it. Store a copy (or several copies) on floppy disks and keep them
locked up. It's the private key that you don't want anyone to get hold of,
otherwise they _could_ impersonate you.
Jim
----- Original Message -----
From: "Josh Levine" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 19, 2001 10:38 PM
Subject: Re: Secure Cert process not secure?!
> > > Entrust goes through great pains to ensure that I am who I say I am,
> > and
> > > that I represent my company. Finally, through e-mail they send me a
> > > link to retrieve my certificate. This link takes me to a page that is
> > > neither password protected nor encrypted - and yet it contains my
> > secure
> > > certificate in plain text!
> > >
> > > Am I missing something here?
> >
> > No. Only you hold the private key. They are giving you the public cert
> > which contains the information that is available to any one browsing
your
> > secure site (view certificate while at a https page).
>
> I'm obviously new to this part of the business, so please feel free to
> point me in the direction of some documentation that'll answer my
> questions/concerns...
>
> What's the private key? The password I gave them? It was my
> understanding that with the code I received on that page, anybody could
> install a certificate on their server and pretend to be me. Of course
> this would only work without an error message if the DNS was
> controlled. For example, what if my ISP (not my web host) intercepted
> the link, went to the page and retrieved my certificate code. They then
> changed their DNS so that all requests for my domain name went to their
> server with my secure certificate.
>
> Is there a reason that this wouldn't work?
>
> Thanks for any clarification,
> Josh Levine
