Zitat von Martijn Brinkers <[email protected]>:
On 02/01/2011 12:36 PM, Manuel Faux wrote:"was never intended to" depends on how you look at it :). From my point of view it was intended that way because I implemented it that way. Djigzo is an email encryption gateway that encrypts and decrypts email at the gateway level. If you don't want email to be decrypted at the gateway level than don't put the private key on the gateway. If the private key is not available, the message cannot be decrypted.What do you think is the benefit of this feature? Is there any "normal" situation you forward an encrypted email without reencrypting it?I was just thinking of the following situation which actually happens in my case. I still use a very old email address I have already for a long time ([email protected]). Pobox is only a forwarding service so email sent to my Pobox account is forwarded to my Djigzo email address. When someone sends encrypted email to my Pobox account using an email client it will be encrypted with the certificate for the Pobox email address. The email however will be forwarded to my Djigzo address. The gateway can decrypt the message because the gateway contains the private key of the Pobox account. When strict mode will be enabled, the gateway will refuse to decrypt the message because there will be a mismatch between recipient email address and certificate email address. Whether or not this is a good think (not in my case) it of course up to the gateway admin.
I would suggest the following:- For "non-domain-encryption" eg. automatic private-key selection only use a key if the recipient address also matches - If one would like settings like above or domain-encryption it is necessaey to manual select the keys considered by Djigzo for decryption and asign it to the user (address) or domain (domain-encryption)
In any case incoming encrypted mail should be split to single recipient to simplify the handling and allow a mix of both. The percentage of encrypted mail which has also multiple recipients should be low enough to not bother with the additional overhead.
Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
