Nelson B Bolyard wrote:
Does this assume LDAP for acquiring the certificate without a signed > S/MIME message? (So it is only relevant in corporate setting?)
No. There are many ways to get a cert for an email correspondent. There is only one way to get that correspondent's email capabilities in a form that Mozilla mail clients can understand, and that is to receive a signed email.
For what it's worth, I've seen that the Microsoft Certificate Server product includes a sMIMECapabilities attribute directly inside X509 mail encryption certificates it issues.
This non-standard usage could be interpreted as "I'll make sure any MUA that I use with this certificate will support at least this level of security".
Whilst I don't usually support Microsoft in reinterpreting standards, in that case I'll make an exception.
After all, even when you respect the standard and put sMIMECapabilities only inside a SMIME message, nothing guaranties that you'll be using the same MUA when you read the response. It's up to you to make sure that none of the MUA you use makes promises another of them can't support, which is only a little less dangerous than including them directly in the certificate.
Also, it can be said an encryption certificate without the info of what encryption protocol the holder is ready to use is much less useful.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
