From: Floyd Resler on

On Sep 21, 2010, at 11:15 AM, Erik L. Arneson wrote:

> On Tue, 21 Sep 2010, Floyd Resler wrote:
>> I got it all figured out. The part I was missing was combining the
>> certificate with the key and giving it to the end-user to install on
>> their system. I was able to use the Web server's certificate for the
>> encryption. The interesting thing is that the client wants ALL
>> passwords sent via encrypted email. Of course, they need the P12 file
>> installed in order to view the email and that requires a password to
>> install it.
>
> Wait, you didn't send the webserver's certificate to the user, did you?
> That's a bad idea. The email recipient should have her own certificate,
> which has both a private and a public part.
>
> The webserver's certificate (presumably the one you have signed by the
> CA), especially the private key, needs to be kept *private*, and not
> sent all over the place. Using the same private/public key pair on both
> endpoints defeats the purpose of PKI. You would be better off using
> plain old symmetric encryption.
>
>> So, obviously, I can't send that password encrypted. So, my solution
>> is to provide a Web page that the user gets to by an emailed link that
>> has a unique identifier and the user must enter a piece of personal
>> information for verification (in this case, ZIP code). Once verified,
>> they are shown the password on the page. That's the only way I can
>> think of to do it. Is that a good solution or does someone have a
>> better way?
>
> I'm sure there are some good products out there to handle this.
> Personally, for email encryption I always prefer the OpenPGP family of
> tools (including GnuPG and commercial PGP). End-users can install PGP
> on their systems, generate public keys, and then send them to the
> webserver. No passwords need to be handed out---they will come up with
> their own passphrases when they generate their public/private key pairs.
>
> --
> Erik Arneson <dybbuk(a)LNouv.com>
> GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP
> Office : +1.541.291.9776 Skype : callto://pymander
> http://www.leisurenouveau.com/
>
>

I used OpenSSL to generate the P12 file (I haven't actually sent this to anyone since I'm still testing). So, I assumed that it was okay for distribution. Perhaps not. At any rate, I like the idea of the OpenPGP better. I'll see how to do that.

Thanks!
Floyd


From: "Erik L. Arneson" on
On Tue, 21 Sep 2010, Floyd Resler wrote:
> I used OpenSSL to generate the P12 file (I haven't actually sent this
> to anyone since I'm still testing). So, I assumed that it was okay
> for distribution. Perhaps not. At any rate, I like the idea of the
> OpenPGP better. I'll see how to do that.

Oh good, good. That should work just fine. I thought you were saying
that you'd sent the webserver's keys to the end-user.

There's an email encryption method called S/MIME that uses that uses
certificates and such that I think is handled pretty well by Outlook (or
whatever Microsoft users do their email with these days). You could
also look into that. It *might* be easier for your end-users.

--
Erik Arneson <dybbuk(a)LNouv.com>
GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP
Office : +1.541.291.9776 Skype : callto://pymander
http://www.leisurenouveau.com/