Xu Yongjiang wrote: > > pingzhenyu wrote: > > The message can be signed with a cert stored on iKey 2000, > > But the message can't be encrypted with a cert stored on iKey 2000. > > > > Do you know the rainbow iKey 2000.
> Very interesting! I think Pingzhenyu has a wrong conception about > s/mime. You lose one step about S/MIME. > As usual, you firstly exchange your certificate with someone, which can > be done by signing a message with your certificate. As the same, you can > get others certificate from the simliar means. Pierre has sent his > certifcate to you, you can store it in your local machine; Next, you can > encryt message using Pierre's certificate(PUBLIC KEY), then send the > message to Pierre. The mail is protected by Pierre's public key. That's true. However, there is one more detail to consider here. When someone attempts to send an encrypted email message with mozilla, (or any Netscape program that can send encrypted email), mozilla requires that the sender also have his own certificate for key encryption. mozilla encrypts the message so that it can be decrypted by the sender or the receiver. If Ping Zhen Yu has his own personal cert stored on an ikey 2000, and if there is some problem with accessing that cert on that device, then he might indeed have difficulty sending an encrypted email using that cert as his own cert. > Finally, Pierre receives your email encrypted by certificate by himself, > then he can decrypt the message and see what you write. As we know, the > message content is packed using PKCS#7 encoding form (Maybe enveloped > data or sign and enveloped data form). That's all. I'm not aware of any known issues with the iKey 2000. I have tested with an iKey 1032, but not with an iKey 2000. Perhaps you can persuade the iKey folks to send us a test unit. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
