Post by Jo BaggsThanks Neil,
but as I recall, when I asked for a certificate from Thawte, they preoceesed
my request and emailed me when my email cert was ready to download. Dont
they have the private key as well?
I don't know the details of what you did.
The standard method, which I think was invented by netscape, is this:
You go to a web site to request a certicate.
The site uses a special url that triggers your browser to generate
a public/private key pair.
Your browser then puts the public key, and your answer to various
question (name, etc, to identify you) into a document known as
a certificate request. The certificate request is signed with
your private key, thereby proving that you have the private key.
Your browser then uploads the certificate request.
The site owners then must examine the information in your
certificate request, and decide whether to provide a certificate.
They do check the signature on the certificate request, using
the public key contained in that request.
If the site owners agree, then generate a certificate using mostly
information (and public key) from your certificate request, but
they add restrictions on certificate use and they add a serial
number and expiration date. They then sign the certificate with
their CA key.
The site then notifies you that the certificate is ready.
You go back to the web site, and download your certificate.
Your browser matches it up with the private key you had previously
created.
If that matches your experience, then Thawte does not have your
private key, and has never seen your private key.