certificate distribution

Hi,

Maybe I should have titled this "key distribution", but I think this
is a bit different. I don't even know if this is a good place for it,
but I can't really find much discussion of it anywhere. Any ideas,
like where else to ask, would be appreciated.

I use a self signed certificate for digital signing (I haven't
ventured into encryption yet) and so far have sent it to a few friends
to get a sense for how it works. So far, so good: I created a PKCS12
file with OpenSSL, imported into Thunderbird, and then let
Thunderbird package up an S/MIME file that my correspondent's mail
client can unpack, and accept the public certificate, and then after
that we can exchange signed messages. The two mail clients handle all
the nitty gritty of unpacking, storing, and using the certificates.

OK, so first of all I'm trusting OpenSSL and Thunderbird to guard my
private key. I guess I can live with that, but it seems a bit flaky.
But, what if I want to be a little more secure about this, and carry
my certificate around on a memory stick with me, and give it to my
correspondents when I see them? Will the system support this?

I don't want to give anyone else the PKCS12 file I created, since it
contains the private key, right? So can I just carry around a PEM
file, and then either my correspondent ought to be able to import it
directly into the mail client, or convert it into another format with
OpenSSL or some other tool?

Moreover, am I being hopelessly old-fashioned with this? Does the
future belong to Verisign and its friends, and not to someone carrying
around a certificate on his keychain? If I really needed security, of
course it wouldn't work, but I thought it might be fun to harness the
six degrees of separation phenomenon simply by trading keys. We could
all get business cards with our certificates contained in some sort of
RF or magnetic strip on them, and pass them around. Yes, of course I
see the problems with this, but it seemed like it might work for low-
stakes security.

Thanks for any light you can shed.

Re: certificate distribution

"grizdog@gmail.com" (07-02-16 21:41:11):

> I don't want to give anyone else the PKCS12 file I created, since it
> contains the private key, right? So can I just carry around a PEM
> file, and then either my correspondent ought to be able to import it
> directly into the mail client, or convert it into another format with
> OpenSSL or some other tool?
>
> Moreover, am I being hopelessly old-fashioned with this? Does the
> future belong to Verisign and its friends, and not to someone carrying
> around a certificate on his keychain? If I really needed security, of
> course it wouldn't work, but I thought it might be fun to harness the
> six degrees of separation phenomenon simply by trading keys. We could
> all get business cards with our certificates contained in some sort of
> RF or magnetic strip on them, and pass them around. Yes, of course I
> see the problems with this, but it seemed like it might work for low-
> stakes security.

You're taking a much too complicated approach. Why don't you just use
GnuPG and Enigmail for Thunderbird? This makes things simple.

To the actual problem: Keyservers and trustcenters are good methods to
distribute keys, if there aren't any other possibilities. Otherwise,
it's always best to give you keys away personally.


Regards,
E.S.

Re: certificate distribution

Thanks, I'll look at those solutions.

Re: certificate distribution

Ertugrul Soeylemez writes:
> You're taking a much too complicated approach. Why don't you just use
> GnuPG and Enigmail for Thunderbird? This makes things simple.
>
> To the actual problem: Keyservers and trustcenters are good methods to
> distribute keys, if there aren't any other possibilities. Otherwise,
> it's always best to give you keys away personally.

old email from early 80s mentioning public key

To: wheeler
Date: 05/06/81 13:45:20

.....

5. Security - VNET does not change this. ie Security can be breached
with or without VNET. The favorate IBM watering hole is far less
secure than VM/370 or VNET. eg There are NO read, write, or multi-write
passwords on any mini-disk that I might have confidential info on.
Yes, I know about global passwords, but I also know who has them and
why. ( total of 4 individuals here including myself ).

6. Definite need for Crypt using public and private keys. Sender uses
public key of individual which requires private key of individual to
unlock. This solves the problem of unauthorized persons gaining
access to unread mail files.

.... snip ...

little drift, internal network (VNET) was larger than arpanet/internet
until sometime mid-85
http://www.garlic.com/~lynn/subnetwork.html#internalnet

misc. other old email mentioning public key
http://www.garlic.com/~lynn/lhwemail.html#publickey

including using CJNTEL on the internal network for public
key server ... recent post
http://www.garlic.com/~lynn/2006w.html#12 more secure communication over the network

other old email mentioning CJNTEL
http://www.garlic.com/~lynn/lhwemail.html#cjntel

past collected posts mentioning certificateless public key
distribution
http://www.garlic.com/~lynn/subpubkey.html#certless