Re: [OpenCA-Devel] Observations

[Michael B. <mic...@rz...>]

alexandru matei wrote:

>  
> First I want to appologise because my observetions are two days old. 
> Michael sent a mail that he will be out for two days so I presumed 
> (wrong ) that there will be no more changes to snaps.
>
> Michael Bell wrote:
> > 5) general question:
>
>> > The CA is encrypting the user certificate and pin and is signing the
>> > message wich will be sent to user. But since the CA certificate is not
>> > intended for email signing purposes, I obtain an error "invalid
>> > signature" on the client mail (netscape, wich prevents for see the
>> > message and therefore the revocation CRIN. Should the mail be seigned
>> > with another certificate?
>>
>> Yes, but how should we implement this? Another certificate with another
>> key but the same passphrase like the CA or perhaps the same key? Any
>> comments or ideas are welcome.
>>  
>>
> I wonder why the user must get the mail from CA. I think that RA 
> should encrypt and sign the mail for the user. Here the mail could be 
> signed&encrypted using RA operator certificate. But signing&encrypting 
> can be done at CA as well using the first RA operator's certificate. 
> Or in Initialization we can just make an certificate just for signing 
> mails for CA.
> Another idea: why must CA sign the message? Can't it just crypt 
> it(using it's private key)? In this way the user knows that CA send it 
> a mail. The signing is a proof that the message was not modified in 
> transit, but, if it was modified, somebody must have the same private 
> key as the CA...

1. You can only sign with a private key but never encrypt. You use a 
private key to decrypt data.
2. If the RAO sign and encrypt this message then it is possible that a 
human different from the owner of the affected private key knows the 
CRIN (the submitted PIN).
3. The encryption is done with the public key of the new cert.
4. the last idea ("Another idea") is called signing ;-D

> I mean that if a user want to revoke its certificate, in Pub section 
> he is asked a serial and a CRIN. What must he use for CRIN?

The CRIN  is the PIN which the user receive in the mail from the CA.


Cheers, Michael


P.S. if there are problems with the format of this mail then please 
write a notice to me - I switched to mozilla.

-- 
-------------------------------------------------------------------
Michael Bell                   Email (private): mic...@we...
Rechenzentrum - Datacenter     Email:  mic...@rz...
Humboldt-University of Berlin  Tel.: +49 (0)30-2093 2482
Unter den Linden 6             Fax:  +49 (0)30-2093 2959
10099 Berlin
Germany                                     [OpenCA Core Developer]

http://www.openca.org