[CentOS] [OT] Where to buy S/MIME ??

Gordon Messmer gordon.messmer at gmail.com
Thu Nov 29 03:58:33 UTC 2018


On 11/27/18 3:47 PM, Alice Wonder wrote:
> I actually went for a more complex scenario, I've created my own CA 
> complete with CRL.


OK.  That means fewer certificates for your peers to install over time, 
but is otherwise no better than self-signed.


> It's nice because with S/MIME you really want two certs - one for 
> signing (where ecdsa can be used) and one for when you need to receive 
> encrypted.


IIRC, an S/MIME client should be able to install your public cert and 
encrypt messages sent to you with no user interaction.  With 
Thunderbird, if I reply to a signed message, I can encrypt the reply.  
 From a usability standpoint, I really want to have just one 
certificate.  The easier it is to send me encrypted messages, the more 
likely it is that messages will be secure.


> Web browsers are applications that exist for the explicit purpose of 
> downloading and executing untrusted code. It does not seem like that 
> is a very wise environment to use for generating long term 
> cryptography keys. It really doesn't. 


On the other hand, if you don't trust your browser's cryptography 
implementation, you definitely should not be using your browser for 
secure communication (https).




More information about the CentOS mailing list