Re: Creating certs for others (without their private keys)

Mon, 04 Jul 2005 18:07:43 -0700 

> IT is common practice for someone making a certificate request to prove that 
> they have the private key.

Normally "proof of possession" is done by signing the request *with* the 
private key, not sending it in the request. The CA can then verify the 
requester's possession of private key using the public key (the one that it is 
going to certify) to verify the signature. No private key holder should ever 
send their private key to anyone including the CA - to do so is nonsense and 
undermines PKI's definition of 'private'.

My thanks to Uri for finding this poor treatment of private keys!


Simon McMahon

Work: (07) 31311420
Mobile: (043) 2294180


>>> [EMAIL PROTECTED] 07/05/05 12:50am >>>
> Darn, I thought I explained the problem: openssl "req" seems to require
> private key of the cert requestor, which defeats the whole idea of PKI.

No.

IT is common practice for someone making a certificate request to
prove that they have the private key.  This is known as "proof of
possession" and is a common practice.

        /r$

-- 
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com 
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org 
User Support Mailing List                    openssl-users@openssl.org 
Automated List Manager                           [EMAIL PROTECTED]



***********************************************************************************
This email, including any attachments sent with it, is confidential and for the 
sole use of the intended recipient(s).  This confidentiality is not waived or 
lost, if you receive it and you are not the intended recipient(s), or if it is 
transmitted/received in error.

Any unauthorised use, alteration, disclosure, distribution or review of this 
email is prohibited.  It may be subject to a statutory duty of confidentiality 
if it relates to health service matters.

If you are not the intended recipient(s), or if you have received this email in 
error, you are asked to immediately notify the sender by telephone or by return 
email.  You should also delete this email and destroy any hard copies produced.
***********************************************************************************

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to