Anders Rundgren wrote:
Most organizations use directories. When certificates are issued to individuals, they CA also populates a directory for that user. Both Thunderbird and OutLook can fetch certificates from those directories.Robert,Pardon me. I did indeed not intended to slam Paul's guide. I changed the thread but I don't expect a fruitful debate since the difficulties are mostly unrelated to NSS. I feel sorry for those who feel that S/MIME encryption needs to become mainstream because that will never happen since there is no way I can send an encrypted mail to an ad-hoc contact since you cannot locate the key. At least I have no idea how to do that not even for the US CAC and PIV users, because where is the repository???
Longer term, It's possible to have a certificate issued automatically for a user that doesn't have one, as long as you have a secure way for that user to 'recover' his private key.
The real bear in Thunderbird is getting the user's own certificate issued. Not a lot of work has gone into this problem yet. (Outlook has it a little easier, since is shares a certificate store with EI on the user local machine).
That's sort of interesting, except it requires you own the servers on both end points, which really reduces it's usefulness. It also requires you to inherently trust your infrastructure. With S/MIME, I can send secure messages to people without trusting the Red Hat IS infrastructure (or from home without trusting PacBell).Secure e-mail should have been put at the server-level, then we would have had some base-level security that would cover 99% of all uses. But it didn't and therefore 80% of all messages are not even coming from the domain they claim. How very useful.
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
