Skip to Content.
Sympa Menu

devel - Re: [sympa-dev] S/MIME certificate extraction: why "openssl -subject"?

Subject: Developers of Sympa

List archive

Chronological Thread  
  • From: christian mock <address@concealed>
  • To: Aumont - Comite Reseaux des Universites <address@concealed>
  • Cc: address@concealed
  • Subject: Re: [sympa-dev] S/MIME certificate extraction: why "openssl -subject"?
  • Date: Wed, 18 Dec 2002 12:37:00 +0100

On Tue, Dec 17, 2002 at 05:06:53PM +0100, Aumont - Comite Reseaux des
Universites wrote:

> I beleive that's all. Please could you test it and report ?

Actually, I'll be doing a lot more -- we have a need to support distinct
signing and encryption certificates (as required by the local digital
signature law), so both for the lists and for the subscribers, I'll augment
the cert handling to support this.

Another issue is that when you change list certificates (because they
expire), the problem is to get the new certificates to all subscribers
(or rather, senders) at the same time -- I'll change sympa to support
a "current" set of certs/keys plus an amount of "past" certs/keys, so
when an encrypted mail comes in, it first tries to decrypt with the
current key, and with all "past" keys afterwards. This means you can get
a new certificate a month in advance, and run both in parallel for this
time so your subscribers don't all have to switch at the very same
moment.

The last issue is that with some versions of outlook, there's no indication
in the MIME headers whether the application/x-pkcs7-mime part is signed,
encrypted or both; despite the S/MIME RFC saying you "SHOULD" make this
distinguishable, we have to support outlook, so I'll have to find a
solution to this problem, too.

Feedback from people using sympa with S/MIME would be very appreciated.

regards,

cm.

--
Christian Mock Wiedner Hauptstrasse 15
Senior Security Engineer 1040 Wien
CoreTEC IT Security Solutions GmbH +43-1-5037273



Archive powered by MHonArc 2.6.19+.

Top of Page