Hi,
I have wanted to get my company on S/MIME for a while, and the recent
noise was the final motivator I needed. We are a small company doing
security, however (like anywhere else) not everybody can be considered a
security "expert".
So Outlook and Thunderbird have good support for S/MIME. This is a good
starting point, right? Personally I am using Thunderbird running on
Linux, which has very convenient S/MIME support. I had actually used it
in the past.
Below I will show that in today's market you simply cannot use S/MIME,
because of a combination of bad security practices, silly web-site
design, lousy CA support on Linux and probably a few more factors.
* Started with the free options. The Web is full with tutorials on how
to install the free Comodo email cert in your mail client. It turns
out, with InstantSSL (Comodo) you cannot register twice with same
email address (e.g. if the cert is lost for some reason or you just
want to use two different machine without shuttling private keys
around). The same is true for StartSSL.
* Next tried Symantec: this is $22 per year, the UI is not very good
(says cert is installed but then has a button to install cert). TB
says the certificate could not be validated "for unknown reasons". I
guess there is no valid certificate chain. Well, Symantec doesn't
appear in either the Chromium/Linux or Firefox/Linux cert stores.
* GlobalSign: EUR 12 for 1 yr, 29 for 3 yrs. Not too bad. So you go
into their wizard. The default is that the private key is generated
by the CA! Which means this product is not (securely) usable for
multiple users in an organization. Most of them will probably leak
their private key.
* CACert: Free and open source. Probably still struggling (the server
is extremely slow). Surprisingly, the CAcert root CA is known by
Chromium/Linux but not by TB/Linux (stock Thunderbird on Ubuntu 12.04).
* Entrust: pricing is only for US, UK and Canada. Other customers are
referred to a small number of resellers (none for my geography).
They still let you order the cert though. And then surprise! The $20
price that appears on the "Buy Now" page turns into $30 when you
complete filling the form.
This covers all I could find on the first 4 Google search pages for
"email certificates". I will try again in a year or two.
Thanks,
Yaron
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
