On Tue, 21 Sep 2010, Floyd Resler wrote: > I got it all figured out. The part I was missing was combining the > certificate with the key and giving it to the end-user to install on > their system. I was able to use the Web server's certificate for the > encryption. The interesting thing is that the client wants ALL > passwords sent via encrypted email. Of course, they need the P12 file > installed in order to view the email and that requires a password to > install it.
Wait, you didn't send the webserver's certificate to the user, did you? That's a bad idea. The email recipient should have her own certificate, which has both a private and a public part. The webserver's certificate (presumably the one you have signed by the CA), especially the private key, needs to be kept *private*, and not sent all over the place. Using the same private/public key pair on both endpoints defeats the purpose of PKI. You would be better off using plain old symmetric encryption. >So, obviously, I can't send that password encrypted. So, my solution >is to provide a Web page that the user gets to by an emailed link that >has a unique identifier and the user must enter a piece of personal >information for verification (in this case, ZIP code). Once verified, >they are shown the password on the page. That's the only way I can >think of to do it. Is that a good solution or does someone have a >better way? I'm sure there are some good products out there to handle this. Personally, for email encryption I always prefer the OpenPGP family of tools (including GnuPG and commercial PGP). End-users can install PGP on their systems, generate public keys, and then send them to the webserver. No passwords need to be handed out---they will come up with their own passphrases when they generate their public/private key pairs. -- Erik Arneson <dyb...@lnouv.com> GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP Office : +1.541.291.9776 Skype : callto://pymander http://www.leisurenouveau.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php