On 10.06.2010 21:00, Nelson B Bolyard wrote:
> Kaspar, would you care to clarify what you mean by "old" format there?
> It appears to me that it always uses the KeyID format for the
> SignerIdentifier. I'd call the KeyID format the "new" format.
>
> Maybe you mean "old" as in the Outlook 2010 default format used before a
> registry entry has been added in an attempt to change it. yes?
No. What I was referring to is:
"old" -> issuerAndSerialNumber
"new" -> subjectKeyIdentifier
(Note that I just used "old" in the previous post because the OP was
stating that the format "can be reverted to an older style using a
registry key". I don't think we should treat this as a question of "new"
vs. "old" - as the issue at hand shows the two forms can't be used
interchangeably in all circumstances.)
>> and the registry setting will only have an effect for the encoding of
>> the *Recipient*Identifier.)
Hopefully the following mini-table will make things clearer. It shows
what format for the RecipientIdentifier and the SignerIdentifier Outlook
2010 uses depending on the registry setting [1]:
UseIssuerSerialNumber set to...
0 [=default] 1
RecipientIdentifier subjectKeyIdentifier issuerAndSerialNumber
SignerIdentifier issuerAndSerialNumber issuerAndSerialNumber
And to reiterate the issue which needs to be fixed in Outlook: when a
recipient certificate does not have a subjectKeyIdentifier extension,
then it must not use the subjectKeyIdentifier format when referring to
this cert (irrespective of the registry setting, of course).
> And to successfully identify the signer's
> cert *as long as* the signer's cert really has a subjectKeyID extension.
> Otherwise, it will not be able to find the signer's cert, and hence will
> not store it in the cert store. This may make it difficult (or impossible)
> to send an encrypted reply to the mail.
As seen from the table above, this is currently a non-issue (Outlook
will always encode SignerIdentifier with issuer name + serial). But I
agree that the Outlook developers should pay attention to this as well
when they are touching the code to fix the RecipientIdentifier stuff.
Kaspar
[1] Complete registry path:
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security\UseIssuerSerialNumber
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
