Zitat von Martijn Brinkers <[email protected]>: > On 10/31/2011 07:31 PM, Stefan Michael Guenther wrote: >> Hello, >> >> let' s think of the following scenario: >> >> Our client has 5 employees and uses Djigzo >> >> E1, E2, E3, E4, E5 >> >> His business contact hat 5 employess, too, but doesn't use an >> encryption gateway (encryption is performed by the email client) : >> >> e1, e2, e3, e4, 5 >> >> E1 exchanges emails with e1, e3, e5 >> E2 exchanges emails with e1, e2, e3 >> E3 echanges emails with e2,e3,e5 >> and so on. >> >> Is it really necessary, that the IT admin on the other side runs >> around and distributes all required user certificates? >> Or is it possible to have a wildcard domain certificate, which only >> has to be installed once? The web interface accepts "*@abc.com" as >> an "email address". >> >> The problem in our real world scenario is, that our client has 250 >> employees and the other side is a governmental organization with >> some 3000+ employees. >> Therefore, running around and distributing certifocates would only >> be an option for marathon runners. ;-)) > > The recipients can in principle use just one certificate to decrypt > incoming email. Most (if not all) S/MIME email clients will use any > available certificate (with private key) to decrypt the message with. > So, from Djigzo gateway -> recipient(s) this would work since with the > Djigzo gateway you can select a certificate for a particular domain. All > email sent to that domain will then be encrypted with that particular > domain certificate.
But this will require to install this particular certificate on any recipient mail client, no? > Although the recipient can decrypt the message, with most S/MIME email > clients the recipient cannot however reply encrypted. Outlook for > example refuses to use a certificate with a non-matching email address > (although I haven't tried a wildcard address). So, if the recipient need > to reply, the recipient need it's own valid and trusted certificate with > matching email address. This is a shortcoming of the email clients in my > opinion. S/MIME encryption would have been a lot easier if the email > clients would allow more manual overrides. That is the problem indeed. Mail clients rely to a big extend on matching mail addresses, so this would not work well. Even if it would be configurable, it does not make a big difference to configure "something" on all clients versus to install a matchnig certificate/key on every client. After all that's why the S/MIME Gateways were invented ;-) > About distributing certificates, there are ways to make it somewhat > easier to distribute a lot of client certificates. However, if a lot of > client certificates are required, it might be *a lot* easier for them to > install a gateway as well (unless client side encryption is a requirement). That said if the recipient are a german governmental organization they nearly for sure have a S/MIME Gateway, you only have to convince them to use it. Regards Andreas _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
