[email protected] wrote: > because of code-signing we digg around in secure timestamps according > to RFC 3161. This is a extension which is used to solve the problem of > expired certificates and the need to know if the certificate was valid > at time of signing. > As far as i know this would also apply to S/MIME so signed messages > can be validated even if the certificate in question is expired. > Does anybody know if this would be useful or even supported by > mailclients. If yes it may be worth to be added to Djigzo in the > future?
Djigzo already contains a signed timestamp. This however is different from RFC 3161 because with RFC 3161 the document is timestamped by a trusted third party (TTP). The timestamp which is already added to every signed email is signed by the signer of the message and not signed by another party. I'm however not aware of any email client that can actually validate such a signed timestamp. Implementation wise, the hardest problem to solve would be to handle the case when the gateway is unable to connect to the TTP signing authority (for example the TTP is down). Signing by the TTP can take some time so all email has to be queued until the TTP handles the email. Another option would be to use a tamper proof timestamp device (like Christine mentioned). I know nCipher (now is now owned by Thales) has such a device but that's a pretty expensive device. So in sum, it's a good idea but to make it scalable I think you'll need an expensive trusted and tamper proof device. -- Djigzo open source email encryption _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
