Jennifer Knoell wrote:I'd like to make sure people in my employers company use signed emails.
Why is that?
Mostly for verification. Encryption is a non-issue since all mail communication stays within our network - which already provides mandatory encryption for road warriors. I'd like to make sure that if the managers get a mail from the IT department they _know_ its from the IT department. And vice versa ofcourse.
I agree with your boss. Unless there is something very specific and unusual, there is absolutely no reason to "invest" in signing emails.
As far as I see it, it's one more layer to secure communication.
There isn't much value in signing emails. There is some value in encrypting emails, but it is completely obscure why this should be done with purchased certs; people using OpenPGP products tend to get by happily without paying anyone for permission to communicate securely.
Too cumbersome. The whole infrastructure here is windows-based, and my experience with PGP on windows were such that our average employee here wouldn't be able to use it.
Creating self signed certs (SSCs) should really be the way to go. You do after all create your own hand written signature. Also, with anyone who wants to check your signature, you already have a prior relationship, so it's not as if you need to worry about people creating an SSC in your name and pretending to be you.
That's the idea, yes. AFAIK every email client out there complains if the digital signature doesn't match the saved signature. The only thing I need to get around is the warning, which may confuse people outside of our organization. Sure it's a simple thing to disable digital signing in this case - but let me tell you with what kind of employees I deal here: Got a call today from a fairly high-up guy raving that his newly serviced printer doesn't work. Turned out he forgot to put paper in, and it even told him so. Duh.
Unfortunately, email clients like thunderbird and the others are not set up to generate or accept SSCs for the user. This in my view is a general and specific flaw in the entire model, and is probably the one single biggest reason why x509 email (or whatever term applies) is a flop.
I'd generate them for the users anyway, even install it in their clients.
I can't see a graceful way around that problem. I thought maybe self-signing the cert, but I suspect that many mail clients may puke on that too. Any idea?
There are other solutions - a group called CACert is awaiting the process of being added as a root in Mozilla family.
Which would not necessarily help me, considering the fact that I only control which clients are used _inside_ our company. I'm currently using Thunderbird, but the majority of the office does not (yet). Still working on that though :)
Also, you should look at the various OpenPGP plugins for thunderbird (I haven't) as they allow encrypted and also signed mail to be done with OpenPGP keys. Search on Enigmail / GPG ?
General problem with PGP: most clients don't support it, certainly not natively.
I appreciate your feedback, it gave me some more ideas to look in to.
Jen _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
