Rome
Sun Jan 29 13:31:45 CST 2006
This is a multi-part message in MIME format.
------=_NextPart_000_000A_01C624C7.95676170
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
thanks for both your answers. I'm trying to fully understand the =
conpcept of PKI, so forgive my questions. So "some" public keys are =
stored on certificates and other public keys are stored where? So =
private keys are stored in keystores or keycontainer files, correct?
"Mitch Gallant" <jensigner@community.nospam> wrote in message =
news:uDFr%230OJGHA.2900@TK2MSFTNGP14.phx.gbl...
Standard X.509 certificates store only the Public key, and issuer's =
signature plus other information
about the "owner" of the public key. Essentially, all the information =
within a cryptographic certificate
is intended to be public. Here is a visual dissection of a typical =
X.509 v3 certificate:
http://www.jensign.com/JavaScience/GetTBSCert
The private key (say an RSA key) matching a corresponding public key =
must be protected and kept
private. Therefore such private keys are typically maintained in =
"keystores" or "keycontainer files"
which are always (or should be) protected by some encryption process =
which can be rather complex
(e.g. the keycontainer protection mechanism in W2k and higher uses =
login credentials to extract an
encryption key using DPAPI ). =20
Smartcards may use their own mechanism for protecting the private key =
data.
PKCS#12 defines one standard for (relatively speaking) securely =
transporting private keys and their matching
public keys and certificates and other data in a platform independent =
way (sort of!).
- Mitch Gallant
MVP Security
www.jensign.com
"Rome" <coolromeo29@yahoo.com> wrote in message =
news:eOSqLcOJGHA.3000@TK2MSFTNGP14.phx.gbl...
Are all Public and Private Keys stored on certificates?
------=_NextPart_000_000A_01C624C7.95676170
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2802" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>thanks for both your answers. I'm =
trying to=20
fully understand the conpcept of PKI, so forgive my questions. =
So=20
"some" public keys are stored on certificates and other public keys are =
stored=20
where? So private keys are stored in keystores or keycontainer files,=20
correct?</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Mitch Gallant" <<A=20
=
href=3D"mailto:jensigner@community.nospam">jensigner@community.nospam</A>=
>=20
wrote in message <A=20
=
href=3D"news:uDFr%230OJGHA.2900@TK2MSFTNGP14.phx.gbl">news:uDFr%230OJGHA.=
2900@TK2MSFTNGP14.phx.gbl</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>Standard X.509 certificates store =
only the Public=20
key, and issuer's signature plus other information</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>about the "owner" of the public key. =
Essentially,=20
all the information within a cryptographic certificate</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>is intended to be public. Here =
is a visual=20
dissection of a typical X.509 v3 certificate:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> <A=20
=
href=3D"
http://www.jensign.com/JavaScience/GetTBSCert">http://www.jensign=
.com/JavaScience/GetTBSCert</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>The private key (say an RSA key) =
matching a=20
corresponding public key must be protected and kept</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>private. Therefore such private keys =
are=20
typically maintained in "keystores" or "keycontainer =
files"</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>which are always (or should be) =
protected by some=20
encryption process which can be rather complex</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>(e.g. the keycontainer protection =
mechanism in=20
W2k and higher uses login credentials to extract an</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>encryption key using DPAPI ). =
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Smartcards may use their own =
mechanism for=20
protecting the private key data.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>PKCS#12 defines one standard for =
(relatively=20
speaking) securely transporting private keys and their =
matching</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>public keys and certificates and =
other data in a=20
platform independent way (sort of!).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>- Mitch Gallant</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> MVP Security</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> <A=20
href=3D"
http://www.jensign.com">www.jensign.com</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Rome" <<A=20
href=3D"mailto:coolromeo29@yahoo.com">coolromeo29@yahoo.com</A>> =
wrote in=20
message <A=20
=
href=3D"news:eOSqLcOJGHA.3000@TK2MSFTNGP14.phx.gbl">news:eOSqLcOJGHA.3000=
@TK2MSFTNGP14.phx.gbl</A>...</DIV>
<DIV><FONT face=3DArial size=3D2>Are all Public and Private Keys =
stored on=20
certificates?</FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_000A_01C624C7.95676170--