Skip to Content.
Sympa Menu

cacert-de - Re: Organisation client certs via csr

Subject: Deutschsprachige CAcert Support Liste

List archive

Re: Organisation client certs via csr


Chronological Thread 
  • From: Andreas Bäß <ab AT it-sls.de>
  • To: cacert-de AT lists.cacert.org
  • Subject: Re: Organisation client certs via csr
  • Date: Fri, 13 Nov 2009 17:08:20 +0100

Hi Ian,

PS: I google translated the below but didn't quite get it.

here is my translation:

Das zweite Problem ist, dass die Prozedur zum Ausstellen von
Org-Client-Zertifikaten genauso läuft wie die von normalen
Client-Zertifikaten, d.h. der OrgAdmin generiert Private Key und
Zertifikat in seinem Browser, muss das als *.p12 exportieren und der
"Antragsteller" muss es dann importieren. Für höhere
Sicherheitsanforderungen ist das ein Problem da der OrgAdmin damit
Zugriff auf den Private Key hat. Die Vorgehensweise mit einem Signing
Request (CSR), wie bei den Server-Zertifiakten, wäre an dieser Stelle
zumindest als Alternative sinnvoll, muss aber erst implementiert werden.
Aber, laut CCA sollten CAcert-Zertifikate ja eh nicht für hohe
Sicherheitsanforderungen verwendet werden... :-\

The second problem is, that the procedure for issuing org-certificates is the same as for regular client certs. I.e. the Org-Admin generates a private/public key-pair [ ... and gets it signed by CAcert], then exports it as *.p12 and the claimant has to import it then. This is a no go if somebody cares about security as the Org-Admin had access to the private key. It would be usefull to change that process to be the same as with server certificates, but that nees to be implemented. But according to CCA you should never use CAcert certificates anyway if there a high security demands.

If that is true, it makes CAcert client certs for users mcuh less usefull. I thought the user caould ask the Org-Admin to sign the CSR. What a suprise ...

Regards
Andreas
--
Andreas Bäß Service Level Solutions    E-Mail : 
ab AT it-sls.de
Hermann-Steinhäuser-Straße 43-47       Telefon: +49 69 979 474 43
63065 Offenbach am Main                Fax    : +49 69 979 474 45
USt-Id-Nr.: DE 258560003               Mobil  : +49 170 7644541

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.16.

Top of Page