Zitat von Martijn Brinkers <[email protected]>:
Hi Andreas,> new certificates for some transit time in our Djigzo database. This > should be no problem for decrypting keys as all matching for a give > address will be tried i guess.Yes that should be no problem. The gateway will search for any available private key which can be used to decrypt the message with.
Fine..
> address will be tried i guess. For signing the documentation says "if > there are multiple certificates suitable for signing, the first > certificate found will be selected". Is it possible to alter this to > something like the certificate with the longest validity will be > selected? I guess this would better fit most cases.The way it currently works is that once a signing key has been selected, it will be used until the signing key (to be precise, the certificate associated with the private key) expires or, is no longer valid, or when a new signing key is explicitly selected. Selecting a signing key for every new email might not always be the best choice because it won't allow you to explicitly select a different one than the selected one. Suppose you have a certificate which you must use for signing but have another one which should be used for decryption, and the encryption key's validity exceeds the validity of the signing key. In that case you want to make sure the explicitly selected signing key will always be used (at least until it expires).
Splitting the signing key/cert from decryption key/cert seems odd to me because the remote party needs your public key to encrypt and the public key is picked up from digital signed mail in most cases, no? For this scenario with split keys/certs i suspect that manually selecting the signing key would be a better choice? I was not aware that "auto selection" for signing means that it is selected once and then used until it expires.
> selected? I guess this would better fit most cases.You might be right. I can add an option so you can choose which private key select procedure you want to use.For example the following options: NEVER_SELECT SELECT_FIRST_TIME SELECT_NEWEST SELECT_LONGEST_VALID
I would not invest too much time. The new signing certs are used automatically anyway as expected but only after the old has expired, which means some days/weeks more spreading the old soon autodated cert which is not too much hassle.
Instead of another option i would set go like this: choose signing certs automatically set --> check if more than one valid cert/key is available - if a longer valid one is available choose this one manually selected cert/key use until expired - if expired stop signing and log a warning
Is it possible to add a JIRA entry for your request? https://jira.djigzo.com/
Never used this before but i will try. Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
