Jean-Marc Desperrier wrote: > Nelson B Bolyard wrote: >>> Does this assume LDAP for acquiring the certificate without a signed >>> > S/MIME message? (So it is only relevant in corporate setting?) > >> No. There are many ways to get a cert for an email correspondent. >> There is only one way to get that correspondent's email capabilities in a >> form that Mozilla mail clients can understand, and that is to receive a >> signed email. > > For what it's worth, I've seen that the Microsoft Certificate Server > product includes a sMIMECapabilities attribute directly inside X509 mail > encryption certificates it issues. > > This non-standard usage could be interpreted as "I'll make sure any MUA > that I use with this certificate will support at least this level of > security".
Hmm, thinking about this a bit more I have some comments: There is no such thing as a "level of security". AFAICS the sMIMECapabilities are just an unordered set of algorithm identifiers without any provisions about the security level of these ciphers. When a MUA sends sMIMECapabilities in a signed S/MIME message it sends a set of the ciphers *currently* supported by this particular MUA. This can change over time. A new signed S/MIME message should update the sMIMECapabilities for the sender's e-mail address in the receiver's MUA. So if the user changes a MUA he/she has control over updating the sMIMECapabilities in receiver's MUA. If the CA makes an assertion about sMIMECapabilities in this X.509v3 cert extension how is it supposed to be handled? Should the receiver's MUA take the intersection or the union of sMIMECapabilities cert extension and sMIMECapabilities in signed S/MIME message? Personally I'd vote for giving the sender's MUA predecence over what's stated in the e-mail cert but one could also argue the other way round. > Also, it can be said an encryption certificate without the info of what > encryption protocol the holder is ready to use is much less useful. Wouldn't a X.509v3 cert with extension sMIMECapabilities imply that this e-mail cert can be used with S/MIME? Ciao, Michael. -- Michael Ströder E-Mail: mich...@stroeder.com http://www.stroeder.com -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
