On 10/31/2011 07:31 PM, Stefan Michael Guenther wrote: > Hello, > > let' s think of the following scenario: > > Our client has 5 employees and uses Djigzo > > E1, E2, E3, E4, E5 > > His business contact hat 5 employess, too, but doesn't use an encryption > gateway (encryption is performed by the email client) : > > e1, e2, e3, e4, 5 > > E1 exchanges emails with e1, e3, e5 > E2 exchanges emails with e1, e2, e3 > E3 echanges emails with e2,e3,e5 > and so on. > > Is it really necessary, that the IT admin on the other side runs around and > distributes all required user certificates? > Or is it possible to have a wildcard domain certificate, which only has to be > installed once? The web interface accepts "*@abc.com" as an "email address". > > The problem in our real world scenario is, that our client has 250 employees > and the other side is a governmental organization with some 3000+ employees. > Therefore, running around and distributing certifocates would only be an > option for marathon runners. ;-))
The recipients can in principle use just one certificate to decrypt incoming email. Most (if not all) S/MIME email clients will use any available certificate (with private key) to decrypt the message with. So, from Djigzo gateway -> recipient(s) this would work since with the Djigzo gateway you can select a certificate for a particular domain. All email sent to that domain will then be encrypted with that particular domain certificate. Although the recipient can decrypt the message, with most S/MIME email clients the recipient cannot however reply encrypted. Outlook for example refuses to use a certificate with a non-matching email address (although I haven't tried a wildcard address). So, if the recipient need to reply, the recipient need it's own valid and trusted certificate with matching email address. This is a shortcoming of the email clients in my opinion. S/MIME encryption would have been a lot easier if the email clients would allow more manual overrides. About distributing certificates, there are ways to make it somewhat easier to distribute a lot of client certificates. However, if a lot of client certificates are required, it might be *a lot* easier for them to install a gateway as well (unless client side encryption is a requirement). Kind regards, Martijn -- Djigzo open source email encryption _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
