[CentOS] [OT] Where to buy S/MIME ??

Mon Nov 26 19:37:46 UTC 2018
Mark Milhollan <mlm at pixelgate.net>

On Sun, 25 Nov 2018, Alice Wonder wrote:

>I want more than just DKIM sigs on my e-mail now.

That digital signature (failing to verify) should be sufficient proof 
that the content was altered -- it is as strong as S/MIME signing only 
will provide, i.e., if someone with power over your life can be 
convinced that you authored an altered/doctored message then whether the 
DKIM headers or the S/MIME signature was discarded seems pretty 
immaterial.

> Anyway looking for S/MIME I can use to sign and/or encrypt but mostly sign. 

> The "free for personal" S/MIME from Comodo didn't work. Browser said it did but
> there was nothing to export for me to then import. I suspect it is because I
> used private browser window, I really don't like the idea of a private key
> stored in browser anyway. And it never asked for a password to encrypt the
> private key, nor let me specify key strength (only let me choose between medium
> and high - I assume high is 4096 but I don't know, it didn't say)

Likely being "private" was the issue though I'd expect that if a key 
won't be stored because the window was private it should refuse to 
generate a CSR which is what happens though you can't see it.  Perhaps 
you should revoke and reissue, i.e., try again but not private, or it 
might be on a different tab that you failed to notice.  Once you have a 
signed certificate installed you can export it to a PKCS#12 bundle for 
which Firefox will require a password.  Feel free to delete it from the 
browser's store once you export it -- I doubt I would; the certificate 
usage specifier should prevent it being used when visiting a site that 
allows or requires you to provide a client-side certificate.

> But I can't find anyone who sells certs for S/MIME to send the CSR too.

Indeed, nothing inexpensive.  Supply and demand economics, you want what 
isn't in much demand so pay a premium.  I can't even find it in the 
OpenSRS reseller panel and they resell everything they can.  
mozillaZine has a knowledgebase article about it along with possible 
sources (including signers that are no longer issuing them), see 
<http://kb.mozillazine.org/Getting_an_SMIME_certificate>.


/mark