> Am 28.11.2018 um 00:47 schrieb Alice Wonder <alice at domblogger.net>: > > On 11/27/2018 03:33 PM, Gordon Messmer wrote: >> On 11/25/18 5:35 AM, Alice Wonder wrote: >>> The "free for personal" S/MIME from Comodo didn't work. Browser said it did but there was nothing to export for me to then import. I suspect it is because I used private browser window, >> Probably, yes. I've used that service in the past without issue. >>> I really don't like the idea of a private key stored in browser anyway. And it never asked for a password to encrypt the private key >> Setting a password will protect all of the certificates stored by Firefox. Select: Preferences -> Privacy and Security -> Security Devices (under Certificates) -> Software Security Device -> Change password >> Chrome may have a similar option, but I don't see it and I don't see documentation for it.\ >>> nor let me specify key strength (only let me choose between medium and high - I assume high is 4096 but I don't know, it didn't say) >> There's very little harm in getting a certificate and examining it to find out. You can destroy it later with no ill effect. > > I actually went for a more complex scenario, I've created my own CA complete with CRL. > > It's nice because with S/MIME you really want two certs - one for signing (where ecdsa can be used) and one for when you need to receive encrypted. And I have multiple e-mail accounts I want to do thus with. > > Could have done self-signed too but this at least allows me to revoke if a device like laptop or phone w/ private key is stolen. > > Does mean those who want to confirm my messages have to import my root key but that's for them to decide. > > Web browsers are applications that exist for the explicit purpose of downloading and executing untrusted code. It does not seem like that is a very wise environment to use for generating long term cryptography keys. It really doesn't. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos Well, your own CA’s certificates are basically self-signed. It’s of course a free country and you can do what you want - but in your case, you could just as well use GPG and be done with it. You could place your GPG public key where your root-certificate is placed and people could download and import that public key. The point of S/MIME is that there is a central authority to validate the owners of the certificates and no peer-to-peer fingerprint checking etc. a la GPG/PGP is needed. It does have better native support in MUAs, I’ll give you that.