On Mon, 23 Jul 2007 13:49:21 -0700 "David Schwartz" <[EMAIL PROTECTED]> wrote:
> Decrypting mail requires the private key. The certificate is not > needed for this purpose. The PKCS12 format provides the ability to > include a collection of keys and certificates and provides a way to > encrypt them. Thanks for explaining this. > > > I want to protect the certificate which contains the private key, > > not the other certificate which I create that contains only the > > public key. > > There is no reason a certificate should ever contain a private key. > You may have a file that contains both a certificate and a private > key. In that case, the private key should definitely be protected. > There is no special reason to protect the certificate as well. Ok, got it. Thanks. > > > The terminology is not clear (the client programs Thunderbird, > > Mozilla mail, Outlook, etc. right or wrong manage private keys as > > certificates) I'm not trying to split hairs or rebel against the > > "standard model" just trying to understand how to protect the > > certificate containing the private key from use other than by the > > key owner. If there is no such thing as a certificate which > > contains the private key, > > There is not. You most likely mean an entry or file that contains > both a certificate and a private key. Understood, thank you. > > > then I have two > > questions: how do I protect the private key (which the email clients > > need to be imported as a "certificate") > > How do you protect the private key *where*? If you mean how do you > convince your client program to store the private key in an encrypted > form so that a password is needed to use it, you are asking in the > wrong place. That's a client operation question. The confusion comes (I think) because the password I used to encrypt the key is not the same password which is used to protect the key once you create a pkcs12 or pem file for use by a mail client (that password must be export password as Dr. Steve explained, I think) > Without a certificate, you don't know what the private key is used > for or who it belongs to. So most programs require a certificate > before they will do much of anything with a private key. > Theoretically, you could decrypt mail without a certificate. All of these clarifications are much appreciated. I understand the highlights of the crypto but not how things are packaged by x.509, pkcs12, etc. Your comments are very helpful Thanks again to you and Dr. Steve and to all who answered these questions. Sorry for mentioning it here but to avoid a separate post, I'm starting to get spammed on this account which I only used for the openssl-users mailing list. That really sucks! Why doesn't the list obfuscate email addresses? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
