S/MIME keys (was: What Are Some Good Projects For Novices?)
Paul Rubin
phr-n2001 at nightsong.com
Tue Aug 21 04:46:24 EDT 2001
philh at comuno.freeserve.co.uk (phil hunt) writes:
> From reading links from this stuff, I get the impression that to get
> an S/MIME public/private keypair, you have to buy one from a
> Certification Authority (who also certify your identity, presumably).
> Is this correct? Or can I just create my own keys like I can with GnuPG
> or PGP?
You always generate your own keys. The Certification Authority
verifies your identity and signs your public key. It's sort of like
PGP key signatures, except programs like browsers etc. are
preconfigured to trust a certain collection of CA's, and normally if
you publish a key to the outside world (an SSL web site certificate is
the most common example) you get it signed by one of those
preconfigured CA's (who run a tidy scam charging you for the
certificates).
Note that nothing requires you to use a commercial CA--you can always
sign your own keys and convince your friends to configure their
browsers to trust your key signatures, just like PGP. (I'm mixing PGP
and X509 terminology here). The idea of CA's is that when a complete
stranger visits your online shoe store's SSL web site, his/her browser
will still see a trusted signature and proceed without throwing a
warning dialog.
More information about the Python-list
mailing list