Re: Private key generation
- From: "Mitch Gallant" <jensigner@xxxxxxxxxxxxxxxx>
- Date: Thu, 2 Mar 2006 16:49:10 -0500
Actually ... there are SOME models where the RSA key pair IS generated
on the server (some company in Texas, I believe do that!) ..
designed for roaming profiles or something ..
I guess the idea is that the company deploying that service can GUARANTEE
to store the private keys (and distribute them on demand) to the clients as
needed .. notwithstanding the issues with big-brother peeking at allo those "secured"
server private keys!
- Mitch Gallant
"Valery Pryamikov" <valery@xxxxxxxxx> wrote in message news:%23e$SSBkPGHA.3728@xxxxxxxxxxxxxxxxxxxxxxx
Probably... I agree that it could be a bit misleading, but nevertheless this bullet is correct, esp. if we cite it
completely and reflect what it actually means :-)
"Generating a private key and distributing it to the requester's protected certificate store (CryptoAPI and
cryptographic service providers)."
-Valery.
http://www.harper.no/valery
"Mitch Gallant" <jensigner@xxxxxxxxxxxxxxxx> wrote in message news:uQGWr5jPGHA.2828@xxxxxxxxxxxxxxxxxxxxxxx
I think the OP was referring to this bullet:
.. " Generating a private key and distributing it to the requester's protected certificate store "
which is a bit misleading.
That is the client part of the service ... which does generate the private key (locally) and
installs it to the local "protected certificate store" ..
which probablyl means DPAPI secured storage in a capi "keycontainer" file.
- Mitch Gallant
MVP Security
"Valery Pryamikov" <valery@xxxxxxxxx> wrote in message news:uqZgmFjPGHA.2124@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
you have probably misread the article to which you are referring in your post. I've searched the article for
occurrences of word "private" and the only place where they mistakenly used it instead of "public" was when they
described what information about allocated certificates are archived on CA... but otherwise the article always
states that private keys are generated by certificate requestors...
However, there are plenty situations when generation of private key on trusted server makes a perfect sense and is
actually done that way. Such situations may vary from generation of high assurance private keys, enrolling private
keys on tamper resistant devices, enterprise key escrow schemes, identity based encryption and many others.
-Valery.
http://www.harper.no/valery
"Francesco" <Francesco@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:544AB09C-D174-4E82-B242-3B669B9BA97D@xxxxxxxxxxxxxxxx
Hi,
I've read that in a certificate request the private key is generated by CA
and then sent to requester.
(http://technet2.microsoft.com/WindowsServer/en/Library/d7cd44f4-b39a-4d35-bb56-a239f72b7e4c1033.mspx)
Is this correct?
I believe that private and public keys are created by client (maybe csp) and
then, the public key, sent to the CA. In this way private key never pass
trougth the net.
Any suggestion?
Thanks
Francesco
.
- Follow-Ups:
- Re: Private key generation
- From: Valery Pryamikov
- Re: Private key generation
- References:
- Re: Private key generation
- From: Valery Pryamikov
- Re: Private key generation
- From: Mitch Gallant
- Re: Private key generation
- From: Valery Pryamikov
- Re: Private key generation
- Prev by Date: Re: Private key generation
- Next by Date: Re: Private key generation
- Previous by thread: Re: Private key generation
- Next by thread: Re: Private key generation
- Index(es):
Relevant Pages
|
