subject:"\[CentOS\] \[OT\] Where to buy S\/MIME \?\?"

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-28 Thread Alice Wonder


On 11/28/2018 07:58 PM, Gordon Messmer wrote:

On 11/27/18 3:47 PM, Alice Wonder wrote:
I actually went for a more complex scenario, I've created my own CA 
complete with CRL.



OK.  That means fewer certificates for your peers to install over time, 
but is otherwise no better than self-signed.



It's nice because with S/MIME you really want two certs - one for 
signing (where ecdsa can be used) and one for when you need to receive 
encrypted.



IIRC, an S/MIME client should be able to install your public cert and 
encrypt messages sent to you with no user interaction.  With 
Thunderbird, if I reply to a signed message, I can encrypt the reply. 
 From a usability standpoint, I really want to have just one 
certificate.  The easier it is to send me encrypted messages, the more 
likely it is that messages will be secure.



A) For one certificate to do both it has to be an RSA cert but the 
primary use of S/MIME is signing where RSA is excessively bloated 
compared to ECDSA.


B) Certs for encryption have to have a backup key somewhere so there 
isn't data loss if I lose the private key, and that key needs to be w/o 
a pass phrase in case something happens to me and someone else needs 
access to the encrypted messages.


But having such a backup means it isn't safe to use for digital signing 
because the backup is a theft risk, so signing with that key to prove it 
is me isn't a great idea.





Web browsers are applications that exist for the explicit purpose of 
downloading and executing untrusted code. It does not seem like that 
is a very wise environment to use for generating long term 
cryptography keys. It really doesn't. 



On the other hand, if you don't trust your browser's cryptography 
implementation, you definitely should not be using your browser for 
secure communication (https).


https is handled by a TLS library outside the browser, which is vastly 
different than in browser generation of private keys.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-28 Thread Gordon Messmer


On 11/27/18 3:47 PM, Alice Wonder wrote:
I actually went for a more complex scenario, I've created my own CA 
complete with CRL.



OK.  That means fewer certificates for your peers to install over time, 
but is otherwise no better than self-signed.



It's nice because with S/MIME you really want two certs - one for 
signing (where ecdsa can be used) and one for when you need to receive 
encrypted.



IIRC, an S/MIME client should be able to install your public cert and 
encrypt messages sent to you with no user interaction.  With 
Thunderbird, if I reply to a signed message, I can encrypt the reply.  
From a usability standpoint, I really want to have just one 
certificate.  The easier it is to send me encrypted messages, the more 
likely it is that messages will be secure.



Web browsers are applications that exist for the explicit purpose of 
downloading and executing untrusted code. It does not seem like that 
is a very wise environment to use for generating long term 
cryptography keys. It really doesn't. 



On the other hand, if you don't trust your browser's cryptography 
implementation, you definitely should not be using your browser for 
secure communication (https).


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-27 Thread Dave Stevens

On Wed, 28 Nov 2018 00:54:12 +0100
Rainer Duffner  wrote:

> It’s of course a free country

haven't heard that for quite a while...

d


-- 
In modern fantasy (literary or governmental), killing people is the
usual solution to the so-called war between good and evil. My books are
not conceived in terms of such a war, and offer no simple answers to
simplistic questions.

- Ursula Le Guin
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-27 Thread Rainer Duffner



> Am 28.11.2018 um 00:47 schrieb Alice Wonder :
> 
> On 11/27/2018 03:33 PM, Gordon Messmer wrote:
>> On 11/25/18 5:35 AM, Alice Wonder wrote:
>>> The "free for personal" S/MIME from Comodo didn't work. Browser said it did 
>>> but there was nothing to export for me to then import. I suspect it is 
>>> because I used private browser window,
>> Probably, yes.  I've used that service in the past without issue.
>>> I really don't like the idea of a private key stored in browser anyway. And 
>>> it never asked for a password to encrypt the private key
>> Setting a password will protect all of the certificates stored by Firefox.  
>> Select: Preferences -> Privacy and Security -> Security Devices (under 
>> Certificates) -> Software Security Device -> Change password
>> Chrome may have a similar option, but I don't see it and I don't see 
>> documentation for it.\
>>> nor let me specify key strength (only let me choose between medium and high 
>>> - I assume high is 4096 but I don't know, it didn't say)
>> There's very little harm in getting a certificate and examining it to find 
>> out.  You can destroy it later with no ill effect.
> 
> I actually went for a more complex scenario, I've created my own CA complete 
> with CRL.
> 
> It's nice because with S/MIME you really want two certs - one for signing 
> (where ecdsa can be used) and one for when you need to receive encrypted. And 
> I have multiple e-mail accounts I want to do thus with.
> 
> Could have done self-signed too but this at least allows me to revoke if a 
> device like laptop or phone w/ private key is stolen.
> 
> Does mean those who want to confirm my messages have to import my root key 
> but that's for them to decide.
> 
> Web browsers are applications that exist for the explicit purpose of 
> downloading and executing untrusted code. It does not seem like that is a 
> very wise environment to use for generating long term cryptography keys. It 
> really doesn't.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos


Well, your own CA’s certificates are basically self-signed.

It’s of course a free country and you can do what you want - but in your case, 
you could just as well use GPG and be done with it. You could place your GPG 
public key where your root-certificate is placed and people could download and 
import that public key.
The point of S/MIME is that there is a central authority to validate the owners 
of the certificates and no peer-to-peer fingerprint checking etc. a la GPG/PGP 
is needed.

It does have better native support in MUAs, I’ll give you that.





___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-27 Thread Alice Wonder


On 11/27/2018 03:33 PM, Gordon Messmer wrote:

On 11/25/18 5:35 AM, Alice Wonder wrote:
The "free for personal" S/MIME from Comodo didn't work. Browser said 
it did but there was nothing to export for me to then import. I 
suspect it is because I used private browser window,



Probably, yes.  I've used that service in the past without issue.


I really don't like the idea of a private key stored in browser 
anyway. And it never asked for a password to encrypt the private key



Setting a password will protect all of the certificates stored by 
Firefox.  Select: Preferences -> Privacy and Security -> Security 
Devices (under Certificates) -> Software Security Device -> Change password


Chrome may have a similar option, but I don't see it and I don't see 
documentation for it.\



nor let me specify key strength (only let me choose between medium and 
high - I assume high is 4096 but I don't know, it didn't say)



There's very little harm in getting a certificate and examining it to 
find out.  You can destroy it later with no ill effect.





I actually went for a more complex scenario, I've created my own CA 
complete with CRL.


It's nice because with S/MIME you really want two certs - one for 
signing (where ecdsa can be used) and one for when you need to receive 
encrypted. And I have multiple e-mail accounts I want to do thus with.


Could have done self-signed too but this at least allows me to revoke if 
a device like laptop or phone w/ private key is stolen.


Does mean those who want to confirm my messages have to import my root 
key but that's for them to decide.


Web browsers are applications that exist for the explicit purpose of 
downloading and executing untrusted code. It does not seem like that is 
a very wise environment to use for generating long term cryptography 
keys. It really doesn't.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-27 Thread Gordon Messmer


On 11/25/18 5:35 AM, Alice Wonder wrote:
The "free for personal" S/MIME from Comodo didn't work. Browser said 
it did but there was nothing to export for me to then import. I 
suspect it is because I used private browser window,



Probably, yes.  I've used that service in the past without issue.


I really don't like the idea of a private key stored in browser 
anyway. And it never asked for a password to encrypt the private key



Setting a password will protect all of the certificates stored by 
Firefox.  Select: Preferences -> Privacy and Security -> Security 
Devices (under Certificates) -> Software Security Device -> Change password


Chrome may have a similar option, but I don't see it and I don't see 
documentation for it.\



nor let me specify key strength (only let me choose between medium and 
high - I assume high is 4096 but I don't know, it didn't say)



There's very little harm in getting a certificate and examining it to 
find out.  You can destroy it later with no ill effect.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-26 Thread Mark Milhollan

On Sun, 25 Nov 2018, Alice Wonder wrote:

>I want more than just DKIM sigs on my e-mail now.

That digital signature (failing to verify) should be sufficient proof 
that the content was altered -- it is as strong as S/MIME signing only 
will provide, i.e., if someone with power over your life can be 
convinced that you authored an altered/doctored message then whether the 
DKIM headers or the S/MIME signature was discarded seems pretty 
immaterial.

> Anyway looking for S/MIME I can use to sign and/or encrypt but mostly sign. 

> The "free for personal" S/MIME from Comodo didn't work. Browser said it did 
> but
> there was nothing to export for me to then import. I suspect it is because I
> used private browser window, I really don't like the idea of a private key
> stored in browser anyway. And it never asked for a password to encrypt the
> private key, nor let me specify key strength (only let me choose between 
> medium
> and high - I assume high is 4096 but I don't know, it didn't say)

Likely being "private" was the issue though I'd expect that if a key 
won't be stored because the window was private it should refuse to 
generate a CSR which is what happens though you can't see it.  Perhaps 
you should revoke and reissue, i.e., try again but not private, or it 
might be on a different tab that you failed to notice.  Once you have a 
signed certificate installed you can export it to a PKCS#12 bundle for 
which Firefox will require a password.  Feel free to delete it from the 
browser's store once you export it -- I doubt I would; the certificate 
usage specifier should prevent it being used when visiting a site that 
allows or requires you to provide a client-side certificate.

> But I can't find anyone who sells certs for S/MIME to send the CSR too.

Indeed, nothing inexpensive.  Supply and demand economics, you want what 
isn't in much demand so pay a premium.  I can't even find it in the 
OpenSRS reseller panel and they resell everything they can.  
mozillaZine has a knowledgebase article about it along with possible 
sources (including signers that are no longer issuing them), see 
.

/mark
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-25 Thread Sorin Srbu

> -Original Message-
> From: CentOS  On Behalf Of Alexander Dalloz
> Sent: den 25 november 2018 17:37
> To: centos@centos.org
> Subject: Re: [CentOS] [OT] Where to buy S/MIME ??
> 
> Letsencrypt does not sign certificates for use with S/MIME.
> 
> Alexander


Ah. Thanks.

--
//Sorin
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-25 Thread Sorin Srbu

> -Original Message-
> From: CentOS  On Behalf Of Alice Wonder
> Sent: den 25 november 2018 14:35
> To: CentOS mailing list 
> Subject: [CentOS] [OT] Where to buy S/MIME ??
> 
> Hi, I'm getting increasingly paranoid.
> 
> Something I said on a certain social media site several months ago was
> modified - then reported - then by account was banned until I agreed to
> delete it.
> 
> Obviously since what I said was modified I didn't have any issue with
> deleting it but I want more than just DKIM sigs on my e-mail now.
> 
> Anyway looking for S/MIME I can use to sign and/or encrypt but mostly
> sign. Not interested in GnuPG or self-signed S/MIME - I want something
> that can be trusted because someone else that is trusted actually
> vouched for me.
> 
> The "free for personal" S/MIME from Comodo didn't work. Browser said it
> did but there was nothing to export for me to then import. I suspect it
> is because I used private browser window, I really don't like the idea
> of a private key stored in browser anyway. And it never asked for a
> password to encrypt the private key, nor let me specify key strength
> (only let me choose between medium and high - I assume high is 4096 but
> I don't know, it didn't say)
> 
> Didn't like the "browser generated" process, even if it had worked and
> generated the final product I could export - I really didn't like the
> process and have serious questions about the wisdom of a private key
> without a pass phrase stored in an application that interacts with web
> sites.
> 
> Anyway so used openssl to create private key (with aes-256 encryption
> and pass phrase) and then a CSR.
> 
> But I can't find anyone who sells certs for S/MIME to send the CSR too.
> 
> Globalsign but they wanted $89 - no one else.
> 
> Found a few sites that offered to "send me a quote" that I think were
> intended for corporate accounts.
> 
> Where do regular users who just want an inexpensive certificate usable
> for S/MIME from a CSR generated the traditional way go to buy a cert?

Would letsencrypt.org work for you?
I use them for my web sites, but unsure if you can do s/mime with them.

It's free, and trusted/sponsored by loads of big muckamucks according to
their web site.
--
//Sorin
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-25 Thread Alexander Dalloz


Am 25.11.2018 um 17:26 schrieb Alfred von Campe:



On Nov 25, 2018, at 8:35, Alice Wonder  wrote:

Where do regular users who just want an inexpensive certificate usable for 
S/MIME from a CSR generated the traditional way go to buy a cert?


Have you looked at https://letsencrypt.org? 

Alfred


Letsencrypt does not sign certificates for use with S/MIME.

Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-25 Thread Alfred von Campe



> On Nov 25, 2018, at 8:35, Alice Wonder  wrote:
> 
> Where do regular users who just want an inexpensive certificate usable for 
> S/MIME from a CSR generated the traditional way go to buy a cert?

Have you looked at https://letsencrypt.org? 

Alfred
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

2018-11-25 Thread Rainer Duffner



> Am 25.11.2018 um 14:35 schrieb Alice Wonder :
> 
> Hi, I'm getting increasingly paranoid.
> 
> Something I said on a certain social media site several months ago was 
> modified - then reported - then by account was banned until I agreed to 
> delete it.
> 
> Obviously since what I said was modified I didn't have any issue with 
> deleting it but I want more than just DKIM sigs on my e-mail now.
> 
> Anyway looking for S/MIME I can use to sign and/or encrypt but mostly sign. 
> Not interested in GnuPG or self-signed S/MIME - I want something that can be 
> trusted because someone else that is trusted actually vouched for me.
> 
> The "free for personal" S/MIME from Comodo didn't work. Browser said it did 
> but there was nothing to export for me to then import. I suspect it is 
> because I used private browser window, I really don't like the idea of a 
> private key stored in browser anyway. And it never asked for a password to 
> encrypt the private key, nor let me specify key strength (only let me choose 
> between medium and high - I assume high is 4096 but I don't know, it didn't 
> say)
> 
> Didn't like the "browser generated" process, even if it had worked and 
> generated the final product I could export - I really didn't like the process 
> and have serious questions about the wisdom of a private key without a pass 
> phrase stored in an application that interacts with web sites.
> 
> Anyway so used openssl to create private key (with aes-256 encryption and 
> pass phrase) and then a CSR.
> 
> But I can't find anyone who sells certs for S/MIME to send the CSR too.
> 
> Globalsign but they wanted $89 - no one else.
> 
> Found a few sites that offered to "send me a quote" that I think were 
> intended for corporate accounts.
> 
> Where do regular users who just want an inexpensive certificate usable for 
> S/MIME from a CSR generated the traditional way go to buy a cert?
> 
> -=-
> 
> Off Topic 2
> 
> I'm going to strangle whoever it is at Google that thinks it is a good idea 
> to put so many video results at the top of search results for this kind of 
> thing. I'm really getting sick of how highly ranked videos now are in search 
> engines.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos



Good question.

Usually, these are more targeted towards businesses, ordering a number of 
client-certificates (not just one or two).

Do you have a business (your website looks like a business)?

Here in Switzerland, we use QuoVadis for these certificates (and the normal 
ones). I’m not sure if they provide service to US citizens.

I suggest you consider subscribing to ProtonMail, if nothing else comes 
forwards.

They’ve got a „2 years for 1“ special up for another couple of hours.



Best Regards
Rainer



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] [OT] Where to buy S/MIME ??

2018-11-25 Thread Alice Wonder


Hi, I'm getting increasingly paranoid.

Something I said on a certain social media site several months ago was 
modified - then reported - then by account was banned until I agreed to 
delete it.


Obviously since what I said was modified I didn't have any issue with 
deleting it but I want more than just DKIM sigs on my e-mail now.


Anyway looking for S/MIME I can use to sign and/or encrypt but mostly 
sign. Not interested in GnuPG or self-signed S/MIME - I want something 
that can be trusted because someone else that is trusted actually 
vouched for me.


The "free for personal" S/MIME from Comodo didn't work. Browser said it 
did but there was nothing to export for me to then import. I suspect it 
is because I used private browser window, I really don't like the idea 
of a private key stored in browser anyway. And it never asked for a 
password to encrypt the private key, nor let me specify key strength 
(only let me choose between medium and high - I assume high is 4096 but 
I don't know, it didn't say)


Didn't like the "browser generated" process, even if it had worked and 
generated the final product I could export - I really didn't like the 
process and have serious questions about the wisdom of a private key 
without a pass phrase stored in an application that interacts with web 
sites.


Anyway so used openssl to create private key (with aes-256 encryption 
and pass phrase) and then a CSR.


But I can't find anyone who sells certs for S/MIME to send the CSR too.

Globalsign but they wanted $89 - no one else.

Found a few sites that offered to "send me a quote" that I think were 
intended for corporate accounts.


Where do regular users who just want an inexpensive certificate usable 
for S/MIME from a CSR generated the traditional way go to buy a cert?


-=-

Off Topic 2

I'm going to strangle whoever it is at Google that thinks it is a good 
idea to put so many video results at the top of search results for this 
kind of thing. I'm really getting sick of how highly ranked videos now 
are in search engines.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

Re: [CentOS] [OT] Where to buy S/MIME ??

Re: [CentOS] [OT] Where to buy S/MIME ??

Re: [CentOS] [OT] Where to buy S/MIME ??

Re: [CentOS] [OT] Where to buy S/MIME ??

Re: [CentOS] [OT] Where to buy S/MIME ??

Re: [CentOS] [OT] Where to buy S/MIME ??

Re: [CentOS] [OT] Where to buy S/MIME ??

Re: [CentOS] [OT] Where to buy S/MIME ??

Re: [CentOS] [OT] Where to buy S/MIME ??

Re: [CentOS] [OT] Where to buy S/MIME ??

Re: [CentOS] [OT] Where to buy S/MIME ??

[CentOS] [OT] Where to buy S/MIME ??

13 matches

Site Navigation

Mail list logo

Footer information