On Tue, 21 Sep 2010, Floyd Resler wrote:
> I got it all figured out.  The part I was missing was combining the
> certificate with the key and giving it to the end-user to install on
> their system.  I was able to use the Web server's certificate for the
> encryption.  The interesting thing is that the client wants ALL
> passwords sent via encrypted email.  Of course, they need the P12 file
> installed in order to view the email and that requires a password to
> install it.

Wait, you didn't send the webserver's certificate to the user, did you?
That's a bad idea.  The email recipient should have her own certificate,
which has both a private and a public part.

The webserver's certificate (presumably the one you have signed by the
CA), especially the private key, needs to be kept *private*, and not
sent all over the place.  Using the same private/public key pair on both
endpoints defeats the purpose of PKI.  You would be better off using
plain old symmetric encryption.

>So, obviously, I can't send that password encrypted.  So, my solution
>is to provide a Web page that the user gets to by an emailed link that
>has a unique identifier and the user must enter a piece of personal
>information for verification (in this case, ZIP code).  Once verified,
>they are shown the password on the page.  That's the only way I can
>think of to do it.  Is that a good solution or does someone have a
>better way?

I'm sure there are some good products out there to handle this.
Personally, for email encryption I always prefer the OpenPGP family of
tools (including GnuPG and commercial PGP).  End-users can install PGP
on their systems, generate public keys, and then send them to the
webserver.  No passwords need to be handed out---they will come up with
their own passphrases when they generate their public/private key pairs.

Erik Arneson <dyb...@lnouv.com>
  GPG Key ID : 1024D/62DA1D25   BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP
      Office : +1.541.291.9776    Skype : callto://pymander

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to