On 22 Aug 2019 05:57:37 -0700, in bit.listserv.ibm-main
(Message-ID:<0049105969039769.wa.jiveycio.sc....@listserv.ua.edu>)
ji...@cio.sc.gov (Joel M Ivey) wrote:
First, they provided a password-protected p12 file,
describing it as containing the "root, intermediate, and
private certs". I requested their public certificate
chain only, they sent me a DER file -- with both the
server cert and its private key. I have asked them to
elaborate on their need to distribute their private key to
me, their response has essentially been, that's the way we
do it.
As people have already said, this is incredibly negligent
and/or ignorant. I'd hesitate to have any dealings with
that company.
I once had to FTP a dump to a vendor. I saw that the
directory was set up to allow read without a password. I
refused to send the dump until they fixed the security. It
was a long time ago, and I can't remember the outcome,
though I know they argued with me. I will admit that it's
unusual to require a password for read but not for
write/create.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
