Timeline for Digital signature using only x509 certificate
Current License: CC BY-SA 4.0
9 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 15, 2020 at 15:24 | comment | added | daparic | I looked at this from the point of view of the customer and what they want to achieve. When they said that they want to sign using a certificate, it means that it is their certificate. Therefore, it will use the private key of this certificate to do the signing. This private key is inside the keystore and not in the certificate. | |
| Apr 21, 2020 at 15:57 | vote | accept | DraQ | ||
| Aug 24, 2019 at 11:32 | comment | added | dave_thompson_085 | As an exmple, coincidentally just reactivated a few hours ago: security.stackexchange.com/questions/194589/… | |
| Aug 24, 2019 at 11:30 | comment | added | dave_thompson_085 | ... The same mechanism is also used to transfer key&cert, e.g. a business gives you a key&cert (in your name) to use to authenticate yourself to their server or workflow, and after that they don't use that key&cert. This is not best practice, which is for you to generate the key and them to authorize or provide only the cert, but with some users the best practice takes days of handholding and it's cheaper to just do the poor practice. Yes, if you have someone's privatekey you can sign or decrypt 'as' them, and can misuse this power. If you don't want the responsibility, don't accept it. | |
| Aug 24, 2019 at 11:27 | comment | added | dave_thompson_085 | @DraQ: it's never in the cert, but as I said may be attached (for example, in a PKCS12 aka PFX file). Someone would share a key and cert to allow someone else to sign and/or decrypt 'on their behalf' (like a supervisor giving this to a subordinate to cover during a vacation or absence, or a webserver allowing a loadbalancer, WAF, CDN, or other 'front end' to handle traffic addressed to it) or 'with equal ability' (like members of a collective or partners in a business, or a normal and backup datacenter). ... | |
| Aug 23, 2019 at 14:41 | comment | added | DraQ | @dave_thompson_085 why whould someone share or use a certificate with a private key embedded? Apart from using it inside a keyring application or like you said in another software like Outlook where you can sign and then present the certificate to the recipient of the email? | |
| Aug 23, 2019 at 14:38 | comment | added | DraQ | @Ben I think that he is confused about how it works. Even though I explained this issue I was not able to match this to the theory. That's why I was asking for second opinions in case I was missing something. | |
| Aug 23, 2019 at 13:53 | comment | added | Ben | In other words: OP is technically correct, but probably misunderstanding their customer's request, possibly because the customer doesn't precisely know what they're asking. | |
| Aug 23, 2019 at 10:50 | history | answered | dave_thompson_085 | CC BY-SA 4.0 |