Jennifer Knoell wrote:
I'm not sure if I am in the right group, but here it goes:
It may be that the appropriate place for this is
mozilla-security ?
I'd like to make sure people in my employers company use signed emails.
Why is that? (I know that signed email has been
proposed ad nauseum as a solution to spam and
phishing, but it's a non-starter because of the
infinitesimal adoption rates.)
No problem, the mail clients support it. But, my boss does not invest in
getting "official" certs for each mail account, as he thinks signing
doesn't add any value.
I agree with your boss. Unless there is something
very specific and unusual, there is absolutely no
reason to "invest" in signing emails.
There isn't much value in signing emails. There
is some value in encrypting emails, but it is
completely obscure why this should be done with
purchased certs; people using OpenPGP products
tend to get by happily without paying anyone
for permission to communicate securely.
So I was looking into creating mail signing certs myself. Works. But
ofcourse, if we send such a signed mail to anyone outside the company,
the recipients will get a warning since they don't recognize the issuing
CA.
Creating self signed certs (SSCs) should really be
the way to go. You do after all create your own
hand written signature. Also, with anyone who wants
to check your signature, you already have a prior
relationship, so it's not as if you need to worry
about people creating an SSC in your name and
pretending to be you.
The fact that the other clients don't recognise
the CA should be treated as a bug.
Unfortunately, email clients like thunderbird and
the others are not set up to generate or accept SSCs
for the user. This in my view is a general and
specific flaw in the entire model, and is probably
the one single biggest reason why x509 email (or
whatever term applies) is a flop.
It's particularly obvious in this case - no cert,
no security. What do people do? Well, they go
and transmit insecurely/without signatures. The
notion that this product protects the average user
then is a nonsense.
Questions for everyone: does this debate belong
on mozilla-security ? Should this be filed as a
bug ?
I can't see a graceful way around that problem. I thought maybe
self-signing the cert, but I suspect that many mail clients may puke on
that too. Any idea?
There are other solutions - a group called CACert
is awaiting the process of being added as a root
in Mozilla family.
Also, you should look at the various OpenPGP
plugins for thunderbird (I haven't) as they
allow encrypted and also signed mail to be done
with OpenPGP keys. Search on Enigmail / GPG ?
iang
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
