Re: Passing certificates between processes (and machines)
From: Michel Gallant \(MVP\) (neutron@istar.ca)
Date: 04/05/03
- Next message: YK: "Re: My Document-how to deny access to files"
- Previous message: George Hester: "determine encryption?"
- In reply to: Daniel Sie \(MS\): "Re: Passing certificates between processes (and machines)"
- Next in thread: Paul Mateer: "Re: Passing certificates between processes (and machines)"
- Reply: Paul Mateer: "Re: Passing certificates between processes (and machines)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Michel Gallant \(MVP\)" <neutron@istar.ca> Date: Fri, 4 Apr 2003 20:53:13 -0500
As Daniel says, you musn't even consider moving your private key (used
for signing docs) to another "principal" for signing.
Remember a secret known by more than 1 person, is not a secret at all!
The only think which makes sense is dnld whatever doc that you
are prepared to sign (you DO want to know what you are signing, right?),
sign it locally, and then upload to the required repository location.
This could probably be made fairly transparent in terms of browsing
through database files, indicating one/many you wish to sign, and
then start the download/sign-locally/ upload process; this is starting
to sound like a real web-application.
- Mitch
"Daniel Sie (MS)" <dsie@online.microsoft.com> wrote in message
news:#y421xw#CHA.392@TK2MSFTNGP12.phx.gbl...
> To sign, one must posses the private key for the certificate. So, having
> just the X509 cert is not enough. In order to have the server doing the
> signing, you need to also pass on the private key along with the
> certificate, and the best way to do this is via a PFX file.
>
> However, this model, having the server to sign using the client's key, is
> flawed. The whole idea of PKI is to keep the private key only to yourselve.
>
> Can you elaborate why do you need to have the signing done on the server's
> side?
>
> --
> Thank you,
>
> Daniel Sie [MS]
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Paul Mateer" <p.mateer@meridio.com> wrote in message
> news:424f2ade.0304040601.4983751e@posting.google.com...
> > I'm trying to put together a system that will allow a user running a
> > client to digitally sign a document on a server (which may be on their
> > PC or another PC entirely)
> >
> > What would be the best way to pass the certificate from the client
> > application to the server (the client and server communicate using
> > RPC)?
> >
> > Is it just a case of passing the dwCertEncodingType, pbCertEncoded,
> > and cbCertEncoded items to the server and then calling the
> > CertCreateCertificateContext() API function to create an new
> > certificate?
> > If so, will it matter that the server will be running under a
> > different NT account from the user running the client?
> >
> > If you can't or shouldn't pass the certificate from the client to the
> > server in this manner, what would the recommended transfer mechanism
> > be?
> >
> > Thanks for any help offered,
> >
> > Paul Mateer
> > Meridio Limited
> > www.meridio.com
>
>
- Next message: YK: "Re: My Document-how to deny access to files"
- Previous message: George Hester: "determine encryption?"
- In reply to: Daniel Sie \(MS\): "Re: Passing certificates between processes (and machines)"
- Next in thread: Paul Mateer: "Re: Passing certificates between processes (and machines)"
- Reply: Paul Mateer: "Re: Passing certificates between processes (and machines)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
