Am 28.11.2018 um 00:47 schrieb Alice Wonder alice@domblogger.net:
On 11/27/2018 03:33 PM, Gordon Messmer wrote:
On 11/25/18 5:35 AM, Alice Wonder wrote:
The "free for personal" S/MIME from Comodo didn't work. Browser said it did but there was nothing to export for me to then import. I suspect it is because I used private browser window,
Probably, yes. I've used that service in the past without issue.
I really don't like the idea of a private key stored in browser anyway. And it never asked for a password to encrypt the private key
Setting a password will protect all of the certificates stored by Firefox. Select: Preferences -> Privacy and Security -> Security Devices (under Certificates) -> Software Security Device -> Change password Chrome may have a similar option, but I don't see it and I don't see documentation for it.\
nor let me specify key strength (only let me choose between medium and high - I assume high is 4096 but I don't know, it didn't say)
There's very little harm in getting a certificate and examining it to find out. You can destroy it later with no ill effect.
I actually went for a more complex scenario, I've created my own CA complete with CRL.
It's nice because with S/MIME you really want two certs - one for signing (where ecdsa can be used) and one for when you need to receive encrypted. And I have multiple e-mail accounts I want to do thus with.
Could have done self-signed too but this at least allows me to revoke if a device like laptop or phone w/ private key is stolen.
Does mean those who want to confirm my messages have to import my root key but that's for them to decide.
Web browsers are applications that exist for the explicit purpose of downloading and executing untrusted code. It does not seem like that is a very wise environment to use for generating long term cryptography keys. It really doesn't. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Well, your own CA’s certificates are basically self-signed.
It’s of course a free country and you can do what you want - but in your case, you could just as well use GPG and be done with it. You could place your GPG public key where your root-certificate is placed and people could download and import that public key. The point of S/MIME is that there is a central authority to validate the owners of the certificates and no peer-to-peer fingerprint checking etc. a la GPG/PGP is needed.
It does have better native support in MUAs, I’ll give you that.