The best argument is impersomating. Anone holding the private ket can present himself like the vendor. The risk is that if you download code form this vendor, you might download agresive code form someone pretending to be the vendor.
ITschak On Thu, Aug 22, 2019 at 3:57 PM Joel M Ivey <[email protected]> wrote: > A vendor has an ftps server for us to connect to from a batch job on zos. > Similar setups with vendors have required the vendor to provide their > server's public cert chain for import into RACF. This vendor insists on > providing not just their server public cert chain but also their private > key. > > First, they provided a password-protected p12 file, describing it as > containing the "root, intermediate, and private certs". I requested their > public certificate chain only, they sent me a DER file -- with both the > server cert and its private key. I have asked them to elaborate on their > need to distribute their private key to me, their response has essentially > been, that's the way we do it. > > I'm not comfortable accepting anyone's private key. There has been no > mention of "client authentication", and I'm still not sure I'd be > comfortable with that config, either. > > Help me understand two things: 1) what I'm missing as to why any vendor > would require me to install their private key on my side when installing > the public cert on my side should suffice as in many other instances, and > 2) arguments for/against client authentication (not password > authentication, but client) in case that is why they're sending me their > private key. > > Joel > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
