certificates

Discussion:

certificates

(too old to reply)

Jo Baggs

2008-10-31 02:24:21 UTC

Is email secure using a certificate like Thawte (free Certificate)? Do we
need to worry about Thawte giving up our Private key to some undesireable
agency?

** Posted from http://www.teranews.com **

Neil W Rickert

2008-11-01 04:38:52 UTC

Permalink

Post by Jo Baggs
Is email secure using a certificate like Thawte (free Certificate)? Do we
need to worry about Thawte giving up our Private key to some undesireable
agency?

The basic method of encryption is essentially the same as that use
by PGP. The important difference is in the trust model. PGP uses
a web of trust, where the certificates (X.509) use a hierarchical
model of trust.

I personally prefer the PGP trust model. But, email using an X.509
certificate shoudl still be secure.

I'm not sure how Thawte would ever get to see your private key.
As far as I know, the normal method is for you to create the private
and public keys yourself, using encryption built into your browser.
Then the public key is submitted to Thawte (or other CA) for signing
to form a certificate. And if it is done as I just described,
then it is not possible for Thawte to give up your private key,
since they don't have it.

Jo Baggs

2008-11-02 02:58:12 UTC

Permalink

Thanks Neil,
but as I recall, when I asked for a certificate from Thawte, they preoceesed
my request and emailed me when my email cert was ready to download. Dont
they have the private key as well?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Post by Jo Baggs
Is email secure using a certificate like Thawte (free Certificate)? Do we
need to worry about Thawte giving up our Private key to some undesireable
agency?

The basic method of encryption is essentially the same as that use
by PGP. The important difference is in the trust model. PGP uses
a web of trust, where the certificates (X.509) use a hierarchical
model of trust.
I personally prefer the PGP trust model. But, email using an X.509
certificate shoudl still be secure.
I'm not sure how Thawte would ever get to see your private key.
As far as I know, the normal method is for you to create the private
and public keys yourself, using encryption built into your browser.
Then the public key is submitted to Thawte (or other CA) for signing
to form a certificate. And if it is done as I just described,
then it is not possible for Thawte to give up your private key,
since they don't have it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkkL3VkACgkQvmGe70vHPUPkRACghaZMHL0pMS2YfOHc+29zFB+Z
zxgAoKsWGi72qgB7Tsq+HrmaIeV0RTZp
=3dyv
-----END PGP SIGNATURE-----

** Posted from http://www.teranews.com **

Neil - Salem, MA USA

2008-11-04 18:50:57 UTC

Permalink

Post by Jo Baggs
Thanks Neil,
but as I recall, when I asked for a certificate from Thawte, they
preoceesed my request and emailed me when my email cert was ready to
download. Dont they have the private key as well?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Post by Jo Baggs
Is email secure using a certificate like Thawte (free Certificate)? Do we
need to worry about Thawte giving up our Private key to some undesireable
agency?

The basic method of encryption is essentially the same as that use
by PGP. The important difference is in the trust model. PGP uses
a web of trust, where the certificates (X.509) use a hierarchical
model of trust.
I personally prefer the PGP trust model. But, email using an X.509
certificate shoudl still be secure.
I'm not sure how Thawte would ever get to see your private key.
As far as I know, the normal method is for you to create the private
and public keys yourself, using encryption built into your browser.
Then the public key is submitted to Thawte (or other CA) for signing
to form a certificate. And if it is done as I just described,
then it is not possible for Thawte to give up your private key,
since they don't have it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkkL3VkACgkQvmGe70vHPUPkRACghaZMHL0pMS2YfOHc+29zFB+Z
zxgAoKsWGi72qgB7Tsq+HrmaIeV0RTZp
=3dyv
-----END PGP SIGNATURE-----

** Posted from http://www.teranews.com **

Jo Baggs,

You might be able to create your own X.509 (S/MIME) Certificate and private
key. Check out: http://www.bestinternetsecurity.net/282 and also
http://www.slproweb.com/products/Win32OpenSSL.html

Neil - Salem, MA USA

Neil W Rickert

2008-11-06 01:10:36 UTC

Permalink

Post by Jo Baggs
Thanks Neil,
but as I recall, when I asked for a certificate from Thawte, they preoceesed
my request and emailed me when my email cert was ready to download. Dont
they have the private key as well?

I don't know the details of what you did.

The standard method, which I think was invented by netscape, is this:

You go to a web site to request a certicate.

The site uses a special url that triggers your browser to generate
a public/private key pair.

Your browser then puts the public key, and your answer to various
question (name, etc, to identify you) into a document known as
a certificate request. The certificate request is signed with
your private key, thereby proving that you have the private key.

Your browser then uploads the certificate request.

The site owners then must examine the information in your
certificate request, and decide whether to provide a certificate.
They do check the signature on the certificate request, using
the public key contained in that request.

If the site owners agree, then generate a certificate using mostly
information (and public key) from your certificate request, but
they add restrictions on certificate use and they add a serial
number and expiration date. They then sign the certificate with
their CA key.

The site then notifies you that the certificate is ready.

You go back to the web site, and download your certificate.
Your browser matches it up with the private key you had previously
created.

If that matches your experience, then Thawte does not have your
private key, and has never seen your private key.