I need to send a client an SSL Certificate Request (from IIS 6.0)
They have requested that it ONLY be sent encrypted using an app like Winzip.
My question is. Is this actually an issue?
My very basic understanding of certificates is that the request does not contain any information that would help a hacker in obtaining the final certificate.
Am I completely wrong?
The CSR contains only the public keys along with some extra information about the certificate. There is nothing secret in there really.
The problem is instead integrity protection: How can they be certain that they are signing the correct CSR, and that it has not been tampered with in transport. It's not very hard for a man in the middle to take your CSR and replace it with one where the MITM has control over the keys.
Therefor the transport of the CSR has to be integrity protected somehow. Encrypted container formats is one way to provide integrity protection, along with (cryptographic) hash functions or digital signatures.