Prev: [PHP] bcompiler: compile in a diferent directory
Next: The session problems with a citrix terminal
From: Floyd Resler on 21 Sep 2010 11:38 On Sep 21, 2010, at 11:15 AM, Erik L. Arneson wrote: > On Tue, 21 Sep 2010, Floyd Resler wrote: >> I got it all figured out. The part I was missing was combining the >> certificate with the key and giving it to the end-user to install on >> their system. I was able to use the Web server's certificate for the >> encryption. The interesting thing is that the client wants ALL >> passwords sent via encrypted email. Of course, they need the P12 file >> installed in order to view the email and that requires a password to >> install it. > > Wait, you didn't send the webserver's certificate to the user, did you? > That's a bad idea. The email recipient should have her own certificate, > which has both a private and a public part. > > The webserver's certificate (presumably the one you have signed by the > CA), especially the private key, needs to be kept *private*, and not > sent all over the place. Using the same private/public key pair on both > endpoints defeats the purpose of PKI. You would be better off using > plain old symmetric encryption. > >> So, obviously, I can't send that password encrypted. So, my solution >> is to provide a Web page that the user gets to by an emailed link that >> has a unique identifier and the user must enter a piece of personal >> information for verification (in this case, ZIP code). Once verified, >> they are shown the password on the page. That's the only way I can >> think of to do it. Is that a good solution or does someone have a >> better way? > > I'm sure there are some good products out there to handle this. > Personally, for email encryption I always prefer the OpenPGP family of > tools (including GnuPG and commercial PGP). End-users can install PGP > on their systems, generate public keys, and then send them to the > webserver. No passwords need to be handed out---they will come up with > their own passphrases when they generate their public/private key pairs. > > -- > Erik Arneson <dybbuk(a)LNouv.com> > GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP > Office : +1.541.291.9776 Skype : callto://pymander > http://www.leisurenouveau.com/ > > I used OpenSSL to generate the P12 file (I haven't actually sent this to anyone since I'm still testing). So, I assumed that it was okay for distribution. Perhaps not. At any rate, I like the idea of the OpenPGP better. I'll see how to do that. Thanks! Floyd
From: "Erik L. Arneson" on 21 Sep 2010 12:01 On Tue, 21 Sep 2010, Floyd Resler wrote: > I used OpenSSL to generate the P12 file (I haven't actually sent this > to anyone since I'm still testing). So, I assumed that it was okay > for distribution. Perhaps not. At any rate, I like the idea of the > OpenPGP better. I'll see how to do that. Oh good, good. That should work just fine. I thought you were saying that you'd sent the webserver's keys to the end-user. There's an email encryption method called S/MIME that uses that uses certificates and such that I think is handled pretty well by Outlook (or whatever Microsoft users do their email with these days). You could also look into that. It *might* be easier for your end-users. -- Erik Arneson <dybbuk(a)LNouv.com> GPG Key ID : 1024D/62DA1D25 BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP Office : +1.541.291.9776 Skype : callto://pymander http://www.leisurenouveau.com/
First
|
Prev
|
Pages: 1 2 Prev: [PHP] bcompiler: compile in a diferent directory Next: The session problems with a citrix terminal |