On Fri, 02 Nov 2001 23:21:26 GMT, Robert Relyea <[EMAIL PROTECTED]> allegedly wrote:
>> I'd like to be able to export the public portion of my key as an X.509 >> certificate in PEM format. That way, I can publish it on my web page. >> Then we need the other bit - to be able to import someone elses >> certificate from that same PEM format. In this way, someone can take >> my cert, install it, and send me an encrypted mail. Currently, they >> have to contact me, ask for a signed message, and wait. > > > You can export the cert from your cert database with certutil in either > binary are base64 encoding. This work well with the right attributes > for importing certs. It would be nice to do this from the UI. You can't expect people to use a command line tool. >> PKCS#7 Certs-Only message sounds nice in theory, but I don't think is >> any more useful than a signed message, although it may not hurt to >> support it. I recall that Netscape 4.7 recognised these messages, >> indicated that the message contained certificates and then wouldn't >> let you do anything with them. Understandable though if the cert >> chain didn't reach a trusted CA, but would be useful to allow an >> import if it does. > > > The main reason for this format is because 1) the message also include > S/MIME preferences which aid in determining which ciphers to use, and > 2) It's already understood by other existing S/MIME clients. I know what its intentions are, but Netscape 4.7 didn't import the certificates contained within such a message (as far as I can recall). Besides, I was just responding to a question of what formats should be supported for import/export. I merely raised the point of whether a PKCS#7 certs-only message was worth it, given that some mail clients do not support it, and it offers no additional benefits over a signed only message. > PKCS #12 is for exporting your certs and keys, so you wouldn't want to > place that file on your website;). PKCS#12 is already supported, hence I didn't raise it. :) - Dave.
