 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / June 2004how does SMIME work in Outlook, the big picture?
I would like to write an entry on SMIME for the Java glossary, but is still quite a mystery how it works. In the Microsoft smime email signing and encryption scheme, they use free certs, but ones signed by CAs that attest merely that you truly are at given email address. There are two big puzzles: First, I don't see that Thawte actually verifies the email address when they issue you a cert. I did not have to return any mail to Thawte or go to a magic URL to prove I got the mail. The key may be I did have an account with them for a code-signing cert some years ago already set up. It would seem to me this would have to be freshly checked. Second, how are public keys exchanged? Do they piggyback on signed mail? Do you have to manually exchange and import them? Do you turn on the possibility for encryption by first exchanging signed but unencryted emails? Do you somehow generate automatic requests for them? In PGP, there are databases to lookup public keys. Are there similar ones too for SMIME working behind the scenes?  SignatureCanadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary. Hi, I don't have much firsthand experience with this system, but I've interspersed some comments about what I'm pretty sure is true. Chris > I would like to write an entry on SMIME for the Java glossary, but > is still quite a mystery how it works. [quoted text clipped - 11 lines] > ago already set up. It would seem to me this would have to be > freshly checked. I don't know about this. Presumably they assume the old e-mail address is correct; after all, they'd *have* to validate it somehow. > Second, how are public keys exchanged? Do they piggyback on signed > mail? Do you have to manually exchange and import them? Do you turn > on the possibility for encryption by first exchanging signed but > unencryted emails? Do you somehow generate automatic requests for > them? When an e-mail is signed, the certificate (with public key) of the sender is attached. The recipient assumes this certificate is valid because it's signed by the CA. The certificate is also saved in a database somewhere; only certificates already saved in this database can be used for encryption (thus you can only send an encrypted e-mail *to* somebody you've already received a signed e-mail *from*). > In PGP, there are databases to lookup public keys. Are there similar > ones too for SMIME working behind the scenes? There are no public repositories of keys. As mentioned above, certificates are only ever exchanged in the process of exchanging signed e-mail. However, CAs are supposed to regularly publish CRLs (certificate revocation lists) which list all certificates they issued whose owners have subsequently revoked them (until they also expire-then I think they're removed). Technically an e-mail client *should* call up the issuing CA every time an encrypted e-mail is sent to acquire the latest CRL and determine whether or not the certificate has been revoked, refusing to use it if it has. In practice, I'm not sure how often (if ever) this actually happens with the common e-mail clients in use today. As a side note, this should also happen every time a Web browser establishes an encrypted connection to a website. Firefox (and I think normal Mozilla) at least provide an option to enable the OCSP protocol which supposedly does this, but unfortunately as far as I can tell it sometimes breaks down and doesn't work right, leading to disabling verification just so you can access a site, besides which there's really no way to tell whether it's being used or not, since it's up to each individual CA to determine whether or not to support OCSP, and specify the appropriate URL in the CA certificate. It's a great ideal, but it sometimes doesn't work. > I would like to write an entry on SMIME for the Java glossary, but is > still quite a mystery how it works. > Second, how are public keys exchanged? Do they piggyback on signed > mail? Do you have to manually exchange and import them? Do you turn > on the possibility for encryption by first exchanging signed but > unencryted emails? Do you somehow generate automatic requests for > them? Public keys in certificates can be included in signed emails (or the signed email can just contain the raw signed content with authenticated attributes) as described a bit here (without all the MIME wrapping baggage): http://www.jensign.com/JavaScience/sigview Depending on the S/MIME email client, most clients also include an authenticated attribute (covered by the hash represented by the signature) called sMimeCapabilities, which tells the signed email recipient what YOUR (the sender's) encryption preferences are. Here is some info (ignore the C# stuff ... look at the sample outputs): http://www.jensign.com/JavaScience/dotnet/AuthAttr - Mitch Gallant JavaScience Consulting www.jensign.com Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.