Dr. Stephen Henson wrote:
Well unless the software provides a means to reencrypt with a new certificate
the only way is to keep the old certificates and private keys on the system.
<soapbox>
This is something I noticed before too - and appears to be a real "failing" with PKI. Although by "failing" I mean "not what end-users expect"...
Let's assume the whole world has embraced PKI and everyone is sending/receiving S/MIME encrypted e-mails. How are we (as a society) meant to handle "old" e-mails - when by definition there is a lifespan associated with any certificates used in them?
A different spin on the same problem: my cert gets stolen/compromised. I get my certificate revoked. Now no-one trusts my old e-mails - sent and signed by me before the cert was compromised?!? You may argue that is a MUA S/MIME implementation issue - but it's true today for the MUAs I've tried.
What is the purpose of the expiry date on a S/MIME cert anyway? If you had a cert with a 10000-year expiry date, *and you know it was never compromised* - then that fixes these sorts of problems. Is there any downside to that? As far as S/MIME is concerned (IMHO time-limited certs do have a place in other roles), if the safety of the cert is assured, then maybe we should have huge expiry dates on them?
The idea that you have to renew/get new certs for crypting e-mails (documents in general?) doesn't "seem right" to me...
I mean, as far as a usercode goes, as long as you have a right to access (say) a company network, your usercode is static. Your password that protects that usercode should be changed on a regular basis - but even that is really to *limit the length* of a compromise more than stop it being compromised in the first place.
Maybe we should ensure apps focus more on private key protection than try to get the certificates via expiry dates to do that job? (and yes, that can always be worked around as the end-user controls everything in the case of a cert)
</soapbox>
-- Cheers
Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
