On Sun, 22 Jul 2007 14:08:31 -0700 "David Schwartz" <[EMAIL PROTECTED]> wrote:
> > > Hi, I see this option when I import but I don't understand something > > more fundamental. Why doesn't the cert itself have any password > > protection? Is it because when I created it I specified the key > > password only to build the cert from the key? And the cert gets > > built with no protection? > > > > Thanks. > > Standard tools are designed enforce the standard security model. In > the standard security model, certificates only contain public identity > information. If you have your own non-standard security model where > certificates need to be kept secret, you have to write your own > software that enforces that security model and ensure that your keys > and certificates are never used by software that doesn't understand > how you want them to be used. > > I would strongly urge you, however, to adopt the standard security > model. It is well-studied and well-understand and in crypto, "rolling > your own" is a high-risk operation. > > The standard model does not provide a way to protect certificates. > Why do you think you need to? The pkcs12 export command seems to want both the certificate and the private key to be able to create a certificate containing the private key which the key owner can use to verify signatures and decrypt mail signed and encrypted using his public key. I want to protect the certificate which contains the private key, not the other certificate which I create that contains only the public key. The terminology is not clear (the client programs Thunderbird, Mozilla mail, Outlook, etc. right or wrong manage private keys as certificates) I'm not trying to split hairs or rebel against the "standard model" just trying to understand how to protect the certificate containing the private key from use other than by the key owner. If there is no such thing as a certificate which contains the private key, then I have two questions: how do I protect the private key (which the email clients need to be imported as a "certificate") and why does the pkcs12 command want a certificate to be specified along with the private key when using the export command to create a cert/private suitable for use in verifying signatures and decrypting mail? Thank you. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
