Re: S/MIME in Thunderbird

Thu, 02 Jul 2009 02:25:11 -0700 

Nelson B Bolyard wrote:

If Microsoft has merely taken a DER-encoded object from another standard
and has incorporated it into a cert extension, that seems fine to me.
I hope they did it in such a way that existing BER/DER parsers of the
sMIMECapabilities attribute can just parse the extension body directly.



Openssl recognise it as sMIMECapabilities, but apparently does not 
really include the layer to really interpret that extension.



Here is the content of the extension as it appears inside a certificate 
I have :

MEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUr
DgMCBzAKBggqhkiG9w0DBw==

and the result dumpasn1 gives on it :
   0   68: SEQUENCE {
   2    9:   OBJECT IDENTIFIER sMIMECapabilities (1 2 840 113549 1 9 15)
  13   55:   OCTET STRING, encapsulates {
  15   53:     SEQUENCE {
  17   14:       SEQUENCE {
  19    8:         OBJECT IDENTIFIER rc2CBC (1 2 840 113549 3 2)
  29    2:         INTEGER 128
         :         }
  33   14:       SEQUENCE {
  35    8:         OBJECT IDENTIFIER rc4 (1 2 840 113549 3 4)
  45    2:         INTEGER 128
         :         }
  49    7:       SEQUENCE {
  51    5:         OBJECT IDENTIFIER desCBC (1 3 14 3 2 7)
         :         }
  58   10:       SEQUENCE {
  60    8:         OBJECT IDENTIFIER des-EDE3-CBC (1 2 840 113549 3 7)
         :         }
         :       }
         :     }
         :   }


I'll send you the cert in private mail. I've just checked the extension 
appears only in mail encryption cert (KU=key exchange), not in mail 
signature cert (KU=signature).



Also, testing MCS in any server edition of windows is nothing more than 
going in Control Panel, selecting "Add/Remove Windows Component", 
clicking "Certificate Services", and finding back the install CD/DVDs 
(which might be more difficult). They are a few question you need to 
answer, but it's really not difficult, you just need to select a "Stand 
Alone" authority so that you don't need to integrate it with Active 
Directory.



If you could supply a specification for this new extension, I'd file an
RFE for Thunderbird/NSS to handle these certs in the intended manner.



I'm not very well placed to give a specification, but it seems it's 
really nothing more than "take sMIMECapabilities, include it inside x509".


It would be good to include the RFE also in Dogtag then.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
























					Reply via email to