Re: [Djigzo users] header information, ca settings and end-to-end encryption

Wed, 12 Jan 2011 07:26:07 -0800 

> On incoming signed E-Mails, Djigzo puts the CN of the sender's 
> intermediate CA next to the "X-Djigzo-Info-Signer-ID-0-1"-header.
> Shouldn't it be the CN of the sender's user certificate which is displayed?
> Same thing happens with the " 
> X-Djigzo-Info-Encryption-Recipient-0-0"-Header in incoming encrypted 
> E-Mails.

I can understand the misunderstanding :). S/MIME (or CMS to be exact)
identifies a signing and encryption certificate using the following two
methods:

Issuer/Serial number or,

Subject Key Identifier

Subject Key Identifier is not widely used so in most cases Issuer/Serial
is used. The reason behind this is that in principle the sender is not
obliged to add the signing certificate to the email.

These headers are adding more or less for debugging purposes. I can
however understand that it would be nice to also add info about the
signing certificate. If you want you can add a JIRA feature request for
this. Not sure however when it will be added.


> Is there a way to use the value of the FROM-header instead of the 
> default CN ("persona non-validated" by default) for automatically 
> generated certificates?
> As long as outgoing emails have their source in my trusted environment, 
> this would make things easier without representing a security issue.

The email address is added to the Subject of the generated certificate.
But you also want to use the "name" part of the from?


> Is it possible to use end-to-end encryption for specific users, so that 
> a specific user has it's own private key stored on his client and djigzo 
> only passes through the encrypted email?

Only if the message is encrypted with a certificate for which the
gateway does not have a private key.

> I tried to do so. But as I don't have any CA except Djigzo's built-in 
> CA, i created the internal user and its certificate with the built-in 
> CA, exported the key to the client, deleted the user, but Djigzo still 
> decrypts incoming E-Mail for this user before. Is this a bug or working 
> as intended?

See Andreas explanation (i.e., you should delete the certificate with
the private key).

Kind regards,

Martijn Brinkers


-- 
Djigzo open source email encryption

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Users mailing list
[email protected]
http://lists.djigzo.com/lists/listinfo/users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to