S/Mime - How can it possibly be secure?

[IT_Architect]

S/Mime - How can it possibly be secure? When I went to get an E-mail cert, their system wanted to install it to my machine. Since there is no CSR, if they install it, they have the private key. Since they now have access to both the private a public keys, how can it be secure? What am I missing?

 

[nobaloney]

they have the private key.

How do they get your private key? That's the part I'm missing.

Jeff

 

[IT_Architect]

How do they get your private key? That's the part I'm missing.Jeff

I may not understand this areas as well as I thought I did.
With a web site cert:
- I generate a CSR, from what I assumed to be the private key.
- The CA generates a public key from the CSR along with a matching cert.
- We install the CERT and we can now do SSL, verified by the CA that they are talking to who they think they are. The better the checks are before the cert is issued, the safer it is.

With an E-mail cert:
- You sign up for it.
- They install it. There is no CSR generated from a private key. Thus, they have both halves of the key.
What am I missing?

 

[ditto]

I don't undertstand what you mean by a "E-mail cert". I have recently setup certificate for exim/dovecot. I am using the same certificate wich I use for my server hostname, and tell the clients to use the server hostname in smtp and pop/imap address in their email client. And of course that certificate that I also use for email, was generated from a private key.

 

[IT_Architect]

I don't undertstand what you mean by a "E-mail cert".

- An E-mail cert is installed in the user's mail client to read encrypted messages destined for him. If you use a CA, the CA makes the public key available to everyone, as with web hosting certs.
- When you send an E-mail, you use the recipient's public key to encrypt it. Nobody can read the message except the intended recipient, in theory. You cannot even decrypt the message you created yourself.
- When it reaches the intended recipient, he is the only one who can read the message, because he is the only one with the private key, in theory.

 

[nobaloney]

My first thought is to agree with ditto.

When I read your reply to ditto about an e-mail Certificate I felt lost. So I Googled and found this (instantssl.com) and other similar sites. These have nothing to do with what I (and probably ditto) think of when we think of Secure Certificates. To me it seems something more akin to what I can do when I use a private key/public key pair to sign and/or encrypt messages. In that case I install my private key on my system and distribute my public key.

Perhaps with this clarification someone else will respond to this thread with more information, but if not, I'd suggest you ask these questions of your e-mail Certificate vendor.

Jeff

 

[IT_Architect]

...if not, I'd suggest you ask these questions of your e-mail Certificate vendor. Jeff

I'll give it a shot. LOL! Thanks!