Hi Julien,
Julien Pierre wrote:
Ian,
Ian G wrote:
For encryption, just now I tried again, and I may have figured out the problem: it requires me to select a certificate, which wasn't obvious the first time I went through the various dialogues; it should just automatically select the one cert that is there (actually it should automatically create, sign and select a cert on install time .. but that's another debate).
That's making a pretty big assumption - that you only have one cert in the database that matches your email address(es).
Hmm, ok, well I suppose that's true as an assumption, and looking at Account / Settings ... the cert that is now selected to sign for this email address is *not* for this email address. This may explain why it didn't in the end sign for this email ;-)
So now I have to figure out how to find a cert for this email address. Now given that it took like 10 minutes of clicking around by an expert in the CA's business to do with the one cert I've got, I'm not hopeful!
Especially as there is no button to create a cert.
But it's true the interface definitely doesn't make it obvious how to turn on signing and encryption .
But, in Options/Security I found a menu that gave options to encrypt and to sign. They need to be on the chrome somewhere, imho.
They are, at least in Mozilla mail. One of the buttons, between "spell" and "save, is called "security". It's got a drop-down menu to select encryption and/or signing.
AHHHH.... that's what that funny little thing on the button is. OK, that's better.
So I guess the thing is to set the default in Edit / Account Settings / [EMAIL PROTECTED] / Security / Encryption to say Never and then to override that by clicking the Options/Security/ Encrypt each time?
Yep.
In summary,
1. it should create and select a cert on install.
That would require a relationship with a CA and automated protocol.
No, create the cert without a CA and self-sign it. I know you won't like that, but IMHO until that is done, S/MIME mail will never take off. There is no basis to _require_ a CA to handle email, that's something that should be optional and for companies, mostly.
Besides, the install time wouldn't be the right time to do it, or at least not the only time. E-mail account creation time would be.
Oh, yes, excellent point.
For signatures, that's less interesting to me, but I'll try to sign this email, and if that works, it will be because the Cert was not selected.
Signatures are the way encryption certificates are transmitted, so they are rather crucial. If you don't sign your messages, people won't be able to write you encrypted messages.
? Why is that? Why do I need to sign a mail to send a cert? Why can't the cert be sent anyway, anytime?
My personal policy (and recommendation) would be to never sign email, because it has no clear meaning. At least in OpenPGP it is undefined what the meaning is, by definition! But in S/MIME, I don't know what it is defined to mean.
So this would result in encryption being denied. That's ludicruous! Is that in the standard?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
