[15840] in cryptography@c2.net mail archive
Re: dual-use digital signature vulnerabilityastiglic@okiok.com
daemon@ATHENA.MIT.EDU (Ian Grigg)
Wed Jul 28 13:35:28 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 27 Jul 2004 09:28:51 +0100
From: Ian Grigg <iang@systemics.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: cryptography@metzdowd.com, sws@cs.dartmouth.edu,
astiglic@okiok.com
In-Reply-To: <E1BoXTx-0005fW-QZ@medusa01>
Peter Gutmann wrote:
> A depressing number of CAs generate the private key themselves and mail out to
> the client. This is another type of PoP, the CA knows the client has the
> private key because they've generated it for them.
It's also cost-effective. The CA model as presented
is too expensive. If a group makes the decision to
utilise the infrastructure for signing or encryption,
then it can significantly reduce costs by rolling out
from the centre.
I see this choice as smart. They either don't do it
at all, or they do it cheaply. This way they have a
benefit.
(Then, there is still the option for upgrading to self-
created keys later on, if the project proves successful,
and the need can be shown.)
As a landmark, I received my first ever correctly
signed x.509 message the other day. I've yet to find
the button on my mailer to generate a cert, so I could
not send a signed reply. Another landmark for the
future, of course.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
