Melanie Dymond Harper
mel at herald.co.uk
Mon Jan 25 12:13:09 GMT 2016
On Mon, Jan 25, 2016 at 09:45:02AM +0000, ukcrypto-request at chiark.greenend.org.uk wrote:
> > In article <D8889865-1033-46F4-82B6-50EDF78D7AFE at hayter.org>, Roger Hayter <roger at hayter.org> writes
> >> AMI, how are the keys for end-to-end users supplied?
> > Is this relevant (I don't know for sure, but as someone formerly practising in Wales maybe you have some inside track):
> > http://www.wales.nhs.uk/pearsrc/digitial_certificate_setup.pdf
> > --
> > Roland Perry
> I was never important enough to be advised to do such a thing. It does seem remarkably simple, but raises more questions. Does it use the same SSL libraries as used for encrypted web sites? If Thawte issue a certificate which you then use, does this potentially give them a way into your encrypted information or not? And is this the same system the English NHS use for end-to-end encryption? It would seem to render NHSnet irrelevant, unless its sole role is to prevent you sending encrypted email or secret documents outside NHSnet.
That's very, _very_ out of date. Thawte haven't done personal
certificates for a very long time, and the Thawte Web of Trust has been
dead since November 2009.
The certificate keys were generated within the browser in a similar way
to the way in which most code-signing certificates are handled these
days -- the CA doesn't typically see the private keys at all. I don't
offhand remember the precise libraries in use, I'm afraid.
Mel (formerly Thawte rep in the UK & Web of Trust notary)
More information about the ukcrypto