Re: Sending Encrypted Email

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 21 Sep 2010, Floyd Resler wrote:
> I got it all figured out.  The part I was missing was combining the
> certificate with the key and giving it to the end-user to install on
> their system.  I was able to use the Web server's certificate for the
> encryption.  The interesting thing is that the client wants ALL
> passwords sent via encrypted email.  Of course, they need the P12 file
> installed in order to view the email and that requires a password to
> install it.

Wait, you didn't send the webserver's certificate to the user, did you?
That's a bad idea.  The email recipient should have her own certificate,
which has both a private and a public part.

The webserver's certificate (presumably the one you have signed by the
CA), especially the private key, needs to be kept *private*, and not
sent all over the place.  Using the same private/public key pair on both
endpoints defeats the purpose of PKI.  You would be better off using
plain old symmetric encryption.

>So, obviously, I can't send that password encrypted.  So, my solution
>is to provide a Web page that the user gets to by an emailed link that
>has a unique identifier and the user must enter a piece of personal
>information for verification (in this case, ZIP code).  Once verified,
>they are shown the password on the page.  That's the only way I can
>think of to do it.  Is that a good solution or does someone have a
>better way?

I'm sure there are some good products out there to handle this.
Personally, for email encryption I always prefer the OpenPGP family of
tools (including GnuPG and commercial PGP).  End-users can install PGP
on their systems, generate public keys, and then send them to the
webserver.  No passwords need to be handed out---they will come up with
their own passphrases when they generate their public/private key pairs.

-- 
Erik Arneson <dybbuk@xxxxxxxxx>
  GPG Key ID : 1024D/62DA1D25   BitCoin : 1LqvuGUqJ4ZUSoE7YE9ngETjwp4yZ2uSdP
      Office : +1.541.291.9776    Skype : callto://pymander
            http://www.leisurenouveau.com/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux