Hi Bob, thanks for your fast reply. Before I can write the bug report, I should somehow verify, that KMail is definitely requesting AES.
I should add, that MS OE shows 3DES as "preferred algorithm from the sender" (sorry, this is translated from the German localized OE version), if you send an eMail from Tb. If you send an eMail from KMail to MS OE, it shows *40.1.101.3.4.1.2 as "preferred algorithm from the sender" I think that this number corresponds to AES, but my only (weak) proof is http://lists.iaik.tugraz.at/pipermail/jce-general/2001-August/001348.html. > There are several separate issues here: > > 1) NSS is not matching on AES. - This is the biggest issue. > 2) For some reason NSS is not negotiating 3DES (is KMail sending 3DES in > the profile. If not, that's a KMail bug). How to have a look in this profile? > 3) We probably should have a single button to disable weak crypto (which > would disable RC2-40), or better yet disable it by default. Sounds very good. Am I right, that I should write the bug report on 1). What about 3), shall I write a 2nd bug report? > Now technically KMail MUST implement RC2-40 (is the implementers > confusing RC2 with RC5?) I don't think so, they speak about "40 bit RC2" > according to the S/MIME spec (all > implementations must support RC2-40. All strong implementations must > support 3DES). In practice the number of weak implementations out there > has declined, so we may want to rethink our defaults in NSS to be 3DES > unless we have some hint the recipient is a weak client. This would correspond to point 3). > 1. Disabling weak crypto by default is a decision we should make > independent of KMail interoperability. > 2. If KMail is sending AES in the profile, NSS should be using it. > (potential AES bug). > 3. It looks like KMail is not sending all of it's profile information, > particularly 3DES (KMail bug). > 4. The S/MIME spec requires accepting RC2-40 by all S/MIME > implementations. KMail clearly falls down there. Once more to be sure: 1. and 2. should be mentioned in 2 bug reports? > KMail will face the same interoperability problems with OE, which runs > home to RC2-40 much more often than NSS... The problems with OE are the same! > (BTW, if you put TB in FIPS mode, does the problem go away?) Unfortunately not. Bye, wurstsemmel _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
