Zitat von Martijn Brinkers <[email protected]>:
[email protected] wrote:The whole point is: We teach the users to obey valid signatures as additional saftey/assurance. But if the user have a look at the mails in the inbox after some time, many or all of the signed messages pop up with "invalid signature" warnings. This may be logically for technical people, but end-users are scared by such unexpected warnings they don't understand. So if we like to get digital signatures and encryption to be used, they must be user-proof as far as possible. Timestamping when signing would be one piece in the puzzle to prevent unexpected/confusing warnings.The problem with most S/MIME clients is that they only allow strict PKI usage. It would be better to be pragmatic and explain more than just giving errors. The best advise I can give you is to use certificates that are valid for much longer than 1 year. There is not really a good reason to make a certificate only valid for 1 year (PGP keys for example never expire). Creating certificates and handing out certificates to recipients is always a pain especially if this has to be repeated every year. The problem however is that almost all commercial certificate issuers only create certificates which are valid for 1 year. Even CACert certificates are only valid for 1 year. I will see whether I can convince them to make certificate valid for longer than 1 year (at least 5 years).
The root-evil of PKI is raising its ugly head....Once designed as all including directory, and later extended for off-line usage with kludges like revocation-lists and expiring certificates. :-(
You don't get more than 3 year certificates from a CA because the effort for the recommended security and process audits will raise and get really expensive. I was told that the CA must re-audit the certified data if the expiry period is too long for example.
It's a pitty that only a few people try hard to get signing/encryption usable. Djigzo is a Tool in the right direction but i think we need more to get S/MIME usable by non-Geeks in large scale.
BTW: It seems that Bouncy Castle which is included in Djigzo support RFC 3161 extension. May i ask if you could check how difficult it may be to include something like timestamping in Djigzo?
Many Thanks Andreas
smime.p7s
Description: S/MIME Signatur
_______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
