On Tue, Jul 11, 2000 at 09:16:34AM +0200, Thomas Barthel wrote:
> Maybe I'm too new to this topic but isn't it true that PKCS12 contains both
> the public and the private key?
Yes, the PKCS12 does support both keys. You however cannot download the
PKCS12 directly into the browser. You can only download it to a file
and then import it.
The direct download technique is only available for the cert (which only
contains the public key):
http://home.netscape.com/eng/security/downloadcert.html
(maybe old, but I didn't find any other information stating something
else, so its ok.)
There seems to be a MIME-type for PKCS12 available:
http://www.crosswinds.net/san-marino/~jom/filex/mime.htm
.p12 application/pkcs-12
.p12 application/x-pkcs-12
I however don't know whether it is actually supported by Netscape.
(If it is, please inform us.)
> Furthermore the client only should be able to prove that he/she got the
> certificate I gave him/her to authenticate. I don't see the need of a
> private key (for the client) here. Well the public key shouldn't be here
> as public as one could think.
You always need the pair. Whether you have to keep the private key
private for your application is a different question you and your organization
has to answer yourself.
It's intention is to allow the person in question to receive encrypted emails,
that only he can read, and to sign messages with proven authencity.
This is broken by your concept, as you (the CA _and_ key generator)
can read all encrypted messages and can fake the signatures of your
clients. Hence, the automatic generation of the private key on a foreign
server really doesn't make sense. Hence, if I would write the software,
I would probably omit the feature you are requesting.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
