[15830] in cryptography@c2.net mail archive
Re: dual-use digital signature vulnerabilityastiglic@okiok.com
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Sun Jul 25 13:49:35 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, sws@cs.dartmouth.edu
Cc: astiglic@okiok.com
In-Reply-To: <FCF7E1F3-DB2D-11D8-B30E-000A95AEB1D6@cs.dartmouth.edu>
Date: Sun, 25 Jul 2004 13:07:17 +1200
"Sean W. Smith" <sws@cs.dartmouth.edu> writes:
>I would have thought that de facto standard approach is: the client
>constructs the certificate request message, which contains things like the
>public key and identifying info, and signs it. The CA then checks the
>signature against the public key in the message.
A depressing number of CAs generate the private key themselves and mail out to
the client. This is another type of PoP, the CA knows the client has the
private key because they've generated it for them.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
