PDA

View Full Version : File encryption using x509

CorneLinux
15th February 2005, 03:46 PM
Hi,

how can I encrypt files with x509 certificates?

gpg uses its own keyring thing I guess, but it does not integrate into a pki.

Regards
Cornelius
ilja
15th February 2005, 03:49 PM
Hi Cornelius,

I'll give you this as an answer : http://www.aleksey.com/pipermail/xmlsec/2004/001925.html

But : http://www.pki-page.org/#PGP
CorneLinux
15th February 2005, 04:07 PM

Hi Cornelius,

I'll give you this as an answer : http://www.aleksey.com/pipermail/xmlsec/2004/001925.html

This link is right. Because of this we encrypt the information with the public key of the recipient.

You see, sending encrypted emails using x509 works fine.
You encrypt the mail with the public part of his certificate and the recipient will decrypt it with his private key.

File encryption could just work the same. I could encrpyt the file with the certifiate of the guy, who is supposed to be allowed to read the file. But...

But : http://www.pki-page.org/#PGP

Well. But as far as I could see pgp and gpg always go their own ways to build a a "PKI".
They generate keypairs but do not take care for existing CA's etc.

Please correct me if I am totally wrong.

Regards
Cornelius
ilja
15th February 2005, 04:40 PM
In Germany there are CA's, but there are organized by the DFN, so you need to be a student of a University to get it signed. Or there is also the possibility to get it signed by c't on a trade fair (messe) like cebit or the one in Munich.
And there are also Webs of Trust, so there are possibilities.
But of course the best way is to get the key directly from the recipient.
CorneLinux
15th February 2005, 04:50 PM
Imagine a company or any group of men that will build up it's own PKI, containing the CA, RA, Directory Service... The certificates, that are stored in the central ldap server and that are used for signing their mails and loggin in, building up vpn connections and so on...

Why not use the same certificates for encrypting files, that are stored on the fileserver?

Why not use my own certificate for encrypting the harddisk of my laptop?

Why should I generate a new keypair and build up a keyring for file encryption, if I got a complete infrastructure?

But obviously noone thought about it before. Is it a stupid though? I did't find anything in the web.

Regards
Cornelius