It seems that Thunderbird refuses to use X.509 certificates for S/MIME encryption when these certificates do not contain email address of the subject. We want to use S/MIME with keys stored on smart cards and certificates distributed via LDAP. For obvious reasons we cannot attach certificates to fixed email addresses.
The RFC 3850 describing certificate handling in S/MIME 3.1 (or 2632 for version 3) states that "Receiving agents MUST recognize and accept certificates that contain no email address". And indeed, Thunderbird is able to verify a signature or decrypt an email if certificates with no email addresses were used (though it gives a warning when verifying a signature). It can also use a certificate without an email address for signing emails. However, it fails when I'm trying to encrypt an email. The encryption certificates without an email address can neither be explicitly imported via Certificate Manager nor loaded from the LDAP. Microsoft Outlook has similar issues, but after some registry tweaking it can be enabled to use such certificates (http:// support.microsoft.com/kb/276597). Is there is a way to make Thunderbird accept such certificates too? Best regards, Sergei Evdokimov -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
