On 2011/03/17 02:41 PDT, silent...@gmail.com wrote: > It seems that Thunderbird refuses to use X.509 certificates for S/MIME > encryption when these certificates do not contain email address of the > subject. We want to use S/MIME with keys stored on smart cards and > certificates distributed via LDAP. For obvious reasons we cannot > attach certificates to fixed email addresses.
Obvious? Not at all. Why not? > The RFC 3850 describing certificate handling in S/MIME 3.1 (or 2632 > for version 3) states that "Receiving agents MUST recognize and accept > certificates that contain no email address". And indeed, Thunderbird > is able to verify a signature or decrypt an email if certificates with > no email addresses were used (though it gives a warning when verifying > a signature). It can also use a certificate without an email address > for signing emails. However, it fails when I'm trying to encrypt an > email. The encryption certificates without an email address can > neither be explicitly imported via Certificate Manager nor loaded from > the LDAP. NSS does not claim compliance with S/MIME 3.1, but only with 3.0. > Microsoft Outlook has similar issues, but after some registry tweaking > it can be enabled to use such certificates (http:// > support.microsoft.com/kb/276597). Is there is a way to make > Thunderbird accept such certificates too? NSS's cert database is capable of storing email encryption certs that lack any email address, indexed by en email address not found in the cert itself. Thunderbird does not use that facility to enter certs into that DB. You can do it manually using NSS's (not Microsoft's) command line tool "certutil". But this is probably not the answer you seek. > > Best regards, > Sergei Evdokimov -- 12345678901234567890123456789012345678901234567890123456789012345678901234567890 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
