certificate distribution

Hi,

Maybe I should have titled this "key distribution", but I think this
is a bit different. I don't even know if this is a good place for it,
but I can't really find much discussion of it anywhere. Any ideas,
like where else to ask, would be appreciated.

I use a self signed certificate for digital signing (I haven't
ventured into encryption yet) and so far have sent it to a few friends
to get a sense for how it works. So far, so good: I created a PKCS12
file with OpenSSL, imported into Thunderbird, and then let
Thunderbird package up an S/MIME file that my correspondent's mail
client can unpack, and accept the public certificate, and then after
that we can exchange signed messages. The two mail clients handle all
the nitty gritty of unpacking, storing, and using the certificates.

OK, so first of all I'm trusting OpenSSL and Thunderbird to guard my
private key. I guess I can live with that, but it seems a bit flaky.
But, what if I want to be a little more secure about this, and carry
my certificate around on a memory stick with me, and give it to my
correspondents when I see them? Will the system support this?

I don't want to give anyone else the PKCS12 file I created, since it
contains the private key, right? So can I just carry around a PEM
file, and then either my correspondent ought to be able to import it
directly into the mail client, or convert it into another format with
OpenSSL or some other tool?

Moreover, am I being hopelessly old-fashioned with this? Does the
future belong to Verisign and its friends, and not to someone carrying
around a certificate on his keychain? If I really needed security, of
course it wouldn't work, but I thought it might be fun to harness the
six degrees of separation phenomenon simply by trading keys. We could
all get business cards with our certificates contained in some sort of
RF or magnetic strip on them, and pass them around. Yes, of course I
see the problems with this, but it seemed like it might work for low-
stakes security.

Thanks for any light you can shed.

.

Relevant Pages

  • Re: [opensuse] disable login authentication in imap
    ... I tested it, it did not require ssl, you could set it for one of the other, ... create a CA certificate in yast ... This will allow Thunderbird to accept the ... of the server. ...
    (SuSE)
  • Re: [opensuse] Getting around a TB error 8182
    ... of cryptographic signature, they are too large for a mail list. ... back saying the key is corrupt or something else wrong with it. ... certificate then your Thunderbird will not be able to verify the certificate, unless you import the public CA key that signed the certificate. ...
    (SuSE)
  • Re: [SLE] Getting imapd and Eudora to talk
    ... I use "Thunderbird" but it did complain each time, ... out that I needed the self-signed certificate "Common Name" to be the "server ... I don't use "Eudora" anymore. ...
    (SuSE)
  • Outlook 2007 and certificate problem
    ... I'm coming from Thunderbird and testing Outlook 2007. ... I have this problem, I'm using more than one email account, one of these has ... Use this certificate permanently ...
    (microsoft.public.outlook)
  • Re: guidance on SSL certs and Apache2
    ... including the fact that the setup is neither automated nor documented ... > it has Kleopatra for certificate management. ... openssl req -new -key server.key -out newreq.pem ... /etc/init.d/apache2 restart ...
    (Debian-User)