| Groups | Blog | Home |
iis security : makecert: why only test certificates?
test certificates. Is this just for legal reasons (i.e. because I am not a trusted CA) or is this for technical reasons? As I understand a certificate needs a number which is the product of two very large primes (about 100 digits). It is most important that the primes are randomly selected: If the primes are randomly selected, it is (more or less) impossible to find the primes if only the product (which is part of the public key) is known. If makecert would use e.g. a table of only 1000 primes, this would be more than sufficient for testing, but would not give any security because everybody could try these
Well, if you had a CA, you would just use the CA to generate the certs, and
you wouldn't need makecert. If you didn't have a CA, you would get one from someone with a CA, and again they wouldn't use makecert. I would define not having a CA as a technical reason and not a legal reason. CA is free with Windows 2000 server. The requirement for CA is not because of Microsoft licensing, but because you need someone somewhere to validate the cert as trusted. With makecert, there is no built-in way to store or securely exchange the secret components of the cert between the host server and the CA while generating it, which theoretically compromises the security of the cert. The CA handles this, certificate expiration, etc. No single utility like makecert can do all these things that are necessary to make a reasonably secure cert. [quoted text, click to view] "Martin M" <martin.m14@aon.at> wrote in message news:1c03b01c4518a$4087b9f0$a001280a@phx.gbl... > I wonder why microsoft states that makecert creates only > test certificates. Is this just for legal reasons (i.e. > because I am not a trusted CA) or is this for technical > reasons? > As I understand a certificate needs a number which is the > product of two very large primes (about 100 digits). It is > most important that the primes are randomly selected: If > the primes are randomly selected, it is (more or less) > impossible to find the primes if only the product (which > is part of the public key) is known. > If makecert would use e.g. a table of only 1000 primes, > this would be more than sufficient for testing, but would > not give any security because everybody could try these > 1000 primes and crack the certificate.
You do not have CA, you are one. You have a somewhat trusted root
certificate. You still need a program to generate certificates (signed by your root certificate), you just wouldn't use makecert (it can only create root certificates and it can't be really customized, you can't set all the various options such as key usage). Jerry [quoted text, click to view] "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message news:ucQKZRZUEHA.2028@TK2MSFTNGP11.phx.gbl... > Well, if you had a CA, you would just use the CA to generate the certs, > and > you wouldn't need makecert. If you didn't have a CA, you would get one > from > someone with a CA, and again they wouldn't use makecert. > > I would define not having a CA as a technical reason and not a legal > reason. > CA is free with Windows 2000 server. The requirement for CA is not > because > of Microsoft licensing, but because you need someone somewhere to validate > the cert as trusted. > > With makecert, there is no built-in way to store or securely exchange the > secret components of the cert between the host server and the CA while > generating it, which theoretically compromises the security of the cert. > The CA handles this, certificate expiration, etc. No single utility like > makecert can do all these things that are necessary to make a reasonably > secure cert. > > > "Martin M" <martin.m14@aon.at> wrote in message > news:1c03b01c4518a$4087b9f0$a001280a@phx.gbl... >> I wonder why microsoft states that makecert creates only >> test certificates. Is this just for legal reasons (i.e. >> because I am not a trusted CA) or is this for technical >> reasons? >> As I understand a certificate needs a number which is the >> product of two very large primes (about 100 digits). It is >> most important that the primes are randomly selected: If >> the primes are randomly selected, it is (more or less) >> impossible to find the primes if only the product (which >> is part of the public key) is known. >> If makecert would use e.g. a table of only 1000 primes, >> this would be more than sufficient for testing, but would >> not give any security because everybody could try these >> 1000 primes and crack the certificate. > >
Thank you much for your reply.
Well, it does not depend upon the way (CA or makecert) that someone must validate the certificate as trusted if this is needed. This is not an issue for me, I would need certificates for encrypting emails between a limited number of persons which I personally know. I could hand over a diskette with the certificate, so distribution is not an issue, either. The problem is: are the certificates per se secure, or is the number of certificates created by makecert limited? (I am a patent attorney. Certificates of a trusted certification authority don't work for me because such certificates are bound to a single person. This would imply that I had to decrypt all emails by myself, which would be similar to the hypothesis that I had to open all envelopes of snail mail by myself. If I am not in the office, nobody can read the emails. Well, I could obtain a certificate for a secretary, but if she or he is not in the office, once again nobody can read the emails.) Martin M [quoted text, click to view] >-----Original Message-----
>Well, if you had a CA, you would just use the CA to generate the certs, and >you wouldn't need makecert. If you didn't have a CA, you would get one from >someone with a CA, and again they wouldn't use makecert. > >I would define not having a CA as a technical reason and not a legal reason. >CA is free with Windows 2000 server. The requirement for CA is not because >of Microsoft licensing, but because you need someone somewhere to validate >the cert as trusted. > >With makecert, there is no built-in way to store or securely exchange the >secret components of the cert between the host server and the CA while >generating it, which theoretically compromises the security of the cert. >The CA handles this, certificate expiration, etc. No single utility like >makecert can do all these things that are necessary to make a reasonably >secure cert. > > >"Martin M" <martin.m14@aon.at> wrote in message >news:1c03b01c4518a$4087b9f0$a001280a@phx.gbl... >> I wonder why microsoft states that makecert creates only >> test certificates. Is this just for legal reasons (i.e. >> because I am not a trusted CA) or is this for technical >> reasons? >> As I understand a certificate needs a number which is the >> product of two very large primes (about 100 digits). It is >> most important that the primes are randomly selected: If >> the primes are randomly selected, it is (more or less) >> impossible to find the primes if only the product (which >> is part of the public key) is known. >> If makecert would use e.g. a table of only 1000 primes, >> this would be more than sufficient for testing, but would >> not give any security because everybody could try these >> 1000 primes and crack the certificate. > > >.
Martin,
Keep in mind that it is the receiver of encrypted e-mail that needs the certificate. You and your clients would need certificates to exchange encrypted e-mail. The public key is used to encrypt the messages and the private key is used to decrypt. Whatever CA you choose to use, you want separate signing and encryption certificates. Your encryption certificate private key, if marked exportable when created, can be shared with any office staff. By separating the signing functions, your staff can decrypt your e-mail on your behalf, without being able to sign as you for outgoing mail. Thawte offers free personal certificates that can be customized for encryption only functions. -- Eric Chamberlain, CISSP [quoted text, click to view] <anonymous@discussions.microsoft.com> wrote in message news:1c1cf01c451d7$3416e270$a001280a@phx.gbl... > Thank you much for your reply. > Well, it does not depend upon the way (CA or makecert) > that someone must validate the certificate as trusted if > this is needed. > This is not an issue for me, I would need certificates for > encrypting emails between a limited number of persons > which I personally know. I could hand over a diskette with > the certificate, so distribution is not an issue, either. > The problem is: are the certificates per se secure, or is > the number of certificates created by makecert limited? > (I am a patent attorney. Certificates of a trusted > certification authority don't work for me because such > certificates are bound to a single person. This would > imply that I had to decrypt all emails by myself, which > would be similar to the hypothesis that I had to open all > envelopes of snail mail by myself. If I am not in the > office, nobody can read the emails. Well, I could obtain a > certificate for a secretary, but if she or he is not in > the office, once again nobody can read the emails.) > > Martin M > > >-----Original Message----- > >Well, if you had a CA, you would just use the CA to > generate the certs, and > >you wouldn't need makecert. If you didn't have a CA, you > would get one from > >someone with a CA, and again they wouldn't use makecert. > > > >I would define not having a CA as a technical reason and > not a legal reason. > >CA is free with Windows 2000 server. The requirement for > CA is not because > >of Microsoft licensing, but because you need someone > somewhere to validate > >the cert as trusted. > > > >With makecert, there is no built-in way to store or > securely exchange the > >secret components of the cert between the host server and > the CA while > >generating it, which theoretically compromises the > security of the cert. > >The CA handles this, certificate expiration, etc. No > single utility like > >makecert can do all these things that are necessary to > make a reasonably > >secure cert. > > > > > >"Martin M" <martin.m14@aon.at> wrote in message > >news:1c03b01c4518a$4087b9f0$a001280a@phx.gbl... > >> I wonder why microsoft states that makecert creates only > >> test certificates. Is this just for legal reasons (i.e. > >> because I am not a trusted CA) or is this for technical > >> reasons? > >> As I understand a certificate needs a number which is > the > >> product of two very large primes (about 100 digits). It > is > >> most important that the primes are randomly selected: If > >> the primes are randomly selected, it is (more or less) > >> impossible to find the primes if only the product (which > >> is part of the public key) is known. > >> If makecert would use e.g. a table of only 1000 primes, > >> this would be more than sufficient for testing, but > would > >> not give any security because everybody could try these > >> 1000 primes and crack the certificate. > > > > > >. > >
Sorry, this is NOT true. You can create certificates
signed with a root certificate using makecert. This certificate may be an installed one or one which you have a .pvk and .crt file of. Only if you use the -r option you get a (self signed) root certificate. But this is not the point. The security of all certificates depends upon the fact that the number of keys is extremly large so you can't crack the keys by trying. I wonder why Microsoft states that the certificates created by makecert are for testing only. Is the number of keys limited if you use makecert? Martin M [quoted text, click to view] >-----Original Message-----
>You do not have CA, you are one. You have a somewhat trusted root >certificate. You still need a program to generate certificates (signed by >your root certificate), you just wouldn't use makecert (it can only create >root certificates and it can't be really customized, you can't set all the >various options such as key usage). > >Jerry > >"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message >news:ucQKZRZUEHA.2028@TK2MSFTNGP11.phx.gbl... >> Well, if you had a CA, you would just use the CA to generate the certs, >> and >> you wouldn't need makecert. If you didn't have a CA, you would get one >> from >> someone with a CA, and again they wouldn't use makecert. >> >> I would define not having a CA as a technical reason and not a legal >> reason. >> CA is free with Windows 2000 server. The requirement for CA is not >> because >> of Microsoft licensing, but because you need someone somewhere to validate >> the cert as trusted. >> >> With makecert, there is no built-in way to store or securely exchange the >> secret components of the cert between the host server and the CA while >> generating it, which theoretically compromises the security of the cert. >> The CA handles this, certificate expiration, etc. No single utility like >> makecert can do all these things that are necessary to make a reasonably >> secure cert. >> >> >> "Martin M" <martin.m14@aon.at> wrote in message >> news:1c03b01c4518a$4087b9f0$a001280a@phx.gbl... >>> I wonder why microsoft states that makecert creates only >>> test certificates. Is this just for legal reasons (i.e. >>> because I am not a trusted CA) or is this for technical >>> reasons? >>> As I understand a certificate needs a number which is the >>> product of two very large primes (about 100 digits). It is >>> most important that the primes are randomly selected: If >>> the primes are randomly selected, it is (more or less) >>> impossible to find the primes if only the product (which >>> is part of the public key) is known. >>> If makecert would use e.g. a table of only 1000 primes, >>> this would be more than sufficient for testing, but would >>> not give any security because everybody could try these >>> 1000 primes and crack the certificate. >> >> > > >.
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |