Dave Roberts wrote:
> On Fri, 02 Nov 2001 23:21:26 GMT, Robert Relyea <[EMAIL PROTECTED]> > allegedly wrote: > > >>>I'd like to be able to export the public portion of my key as an X.509 >>>certificate in PEM format. That way, I can publish it on my web page. >>> Then we need the other bit - to be able to import someone elses >>>certificate from that same PEM format. In this way, someone can take >>>my cert, install it, and send me an encrypted mail. Currently, they >>>have to contact me, ask for a signed message, and wait. >>> >> >>You can export the cert from your cert database with certutil in either >>binary are base64 encoding. This work well with the right attributes >>for importing certs. >> > > It would be nice to do this from the UI. You can't expect people to use a > command line tool. I wouldn't expect mom and pop to use it, but then I wouldn't expect mom and pop to understand what PEM format is, or how and why they would want to export it to their website. I think the goal should be that the expert users can accomplish the things they need but concentrate on those issues that prevent the more naive users from safely using this feature. > > >>>PKCS#7 Certs-Only message sounds nice in theory, but I don't think is >>>any more useful than a signed message, although it may not hurt to >>>support it. I recall that Netscape 4.7 recognised these messages, >>>indicated that the message contained certificates and then wouldn't >>>let you do anything with them. Understandable though if the cert >>>chain didn't reach a trusted CA, but would be useful to allow an >>>import if it does. >>> >> >>The main reason for this format is because 1) the message also include >>S/MIME preferences which aid in determining which ciphers to use, and >>2) It's already understood by other existing S/MIME clients. >> > > I know what its intentions are, but Netscape 4.7 didn't import the > certificates contained within such a message (as far as I can recall). No, Netscape 4.7 does import certs in this way. Many of us have quite large cert7.db's to prove it;). It's they way Netscape 4.7 expects to find email certs in a directory as well (though it can handle raw certs). > Besides, I was just responding to a question of what formats should be > supported for import/export. I merely raised the point of whether a PKCS#7 > certs-only message was worth it, given that some mail clients do not > support it, and it offers no additional benefits over a signed only > message. Good point. >
