<[EMAIL PROTECTED]> writes:
>Your certificate definition says "additionalRecipients", mine says
>"additionalSubjects", Fred-over-there's says "coKeyOwners". The OIDs for
>these extensions end up all different. A human may be able to parse the
>intent from the ASN.1 it but email programs will have
<[EMAIL PROTECTED]> writes:
><2 cents>In the business cases pointed out where it is good that the multiple
>parties hold the private key, I feel the certificate should indicate that
>there are multiple parties so that Bob can realize he is having authenticated
>and private communications with Alic
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann
> Sent: Saturday, July 24, 2004 9:07 PM
> [SNIP]
> A depressing number of CAs generate the private key
> themselves and mail out to the client.
>
Replies to this talked about business cases to have control of the
pri
Peter Gutmann wrote:
A depressing number of CAs generate the private key themselves and mail out to
the client. This is another type of PoP, the CA knows the client has the
private key because they've generated it for them.
It's also cost-effective. The CA model as presented
is too expensive. If
Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> writes:
>Peter, are you talking about generic CAs or in-corporation ones?
Both. Typically what happens is that the CA generates the key and cert and
mails it to the user as a PKCS #12 file, either in plaintext, with the
password in the same email
Anne & Lynn Wheeler <[EMAIL PROTECTED]> write:
>the assertion here is possible threat model confusion when the same exact
>technology is used for two significantly different business purposes.
I don't think there's any confusion about the threat model, which is "Users
find it too difficult to gen
At 02:00 PM 7/26/2004, Richard Levitte - VMS Whacker wrote:
That's all and well, but I can't see why that would be interesting to
a generic, third-party CA. If you're talking about a CA within the
same corporation, then I can understand, since they usually (as far as
I can guess) work from a diffe
In message <[EMAIL PROTECTED]> on Sun, 25 Jul 2004 13:41:56 -0600, Anne & Lynn Wheeler
<[EMAIL PROTECTED]> said:
lynn> At 07:07 PM 7/24/2004, Peter Gutmann wrote:
lynn> >A depressing number of CAs generate the private key themselves
lynn> >and mail out to the client. This is another type of PoP,
At 07:07 PM 7/24/2004, Peter Gutmann wrote:
A depressing number of CAs generate the private key themselves and mail out to
the client. This is another type of PoP, the CA knows the client has the
private key because they've generated it for them.
one could claim that there might be two possible us
"Sean W. Smith" <[EMAIL PROTECTED]> writes:
>I would have thought that de facto standard approach is: the client
>constructs the certificate request message, which contains things like the
>public key and identifying info, and signs it. The CA then checks the
>signature against the public key in
On Jul 19, 2004, at 11:40 AM, Anton Stiglic wrote:
The X.509 PoP (proof-of-possession) doesn't help things out, since a
public
key certificate is given to a user by the CA only after the user has
demonstrated to the CA possession of the corresponding private key by
signing a challenge. I suspect
11 matches
Mail list logo
