[perpass] Why Yaron can't encrypt: S/MIME in the real world
Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 07 September 2013 13:39 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EEA221E80A8 for <perpass@ietfa.amsl.com>; Sat, 7 Sep 2013 06:39:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uY8O-Q1-3R2k for <perpass@ietfa.amsl.com>; Sat, 7 Sep 2013 06:39:23 -0700 (PDT)
Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) by ietfa.amsl.com (Postfix) with ESMTP id 11FBC11E812B for <perpass@ietf.org>; Sat, 7 Sep 2013 06:39:20 -0700 (PDT)
Received: by mail-wg0-f48.google.com with SMTP id n12so1454660wgh.3 for <perpass@ietf.org>; Sat, 07 Sep 2013 06:39:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=TVvqfQwfijBGc6X4aB+6XOJ15Y9JImAxUzMM8njgAQU=; b=M+x+pOWQ2z4oFucqtn7FaB8UwipQ+TXJBg0kbkB3If+eHZsd6VNsJIq5hn9te5z1Le 0Vix75HYEYyd63d26YigRCBLih++2fE0j9QmBb2qYXDOD0dFP8igdKapSYvfallu1YLi yq60l0brpKZ6/aiwjB3I97L0kgE7a5MWGG2ZJn1MI26If9PiPgTg/XiNdVlkiOFFijPX j9Yi3zgkBaN0aAm6Pqml30LL8uev8CWjo3juUxE1TThGwrpjm6kagZHihm2CpCgkbKFR r3D8B7weyu9g1at2MNeEoW8f0ob1CXfnjwouiiaBn01notS0nuESucqBUcS0L1VCIsev V9Yg==
X-Received: by 10.180.37.164 with SMTP id z4mr2242607wij.30.1378561160278; Sat, 07 Sep 2013 06:39:20 -0700 (PDT)
Received: from [10.0.0.8] (bzq-79-182-222-201.red.bezeqint.net. [79.182.222.201]) by mx.google.com with ESMTPSA id ey2sm3750196wib.5.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 07 Sep 2013 06:39:19 -0700 (PDT)
Message-ID: <522B2C86.7020300@gmail.com>
Date: Sat, 07 Sep 2013 16:39:18 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8
MIME-Version: 1.0
To: perpass@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Subject: [perpass] Why Yaron can't encrypt: S/MIME in the real world
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Sep 2013 13:39:24 -0000
Hi, I have wanted to get my company on S/MIME for a while, and the recent noise was the final motivator I needed. We are a small company doing security, however (like anywhere else) not everybody can be considered a security "expert". So Outlook and Thunderbird have good support for S/MIME. This is a good starting point, right? Personally I am using Thunderbird running on Linux, which has very convenient S/MIME support. I had actually used it in the past. Below I will show that in today's market you simply cannot use S/MIME, because of a combination of bad security practices, silly web-site design, lousy CA support on Linux and probably a few more factors. * Started with the free options. The Web is full with tutorials on how to install the free Comodo email cert in your mail client. It turns out, with InstantSSL (Comodo) you cannot register twice with same email address (e.g. if the cert is lost for some reason or you just want to use two different machine without shuttling private keys around). The same is true for StartSSL. * Next tried Symantec: this is $22 per year, the UI is not very good (says cert is installed but then has a button to install cert). TB says the certificate could not be validated "for unknown reasons". I guess there is no valid certificate chain. Well, Symantec doesn't appear in either the Chromium/Linux or Firefox/Linux cert stores. * GlobalSign: EUR 12 for 1 yr, 29 for 3 yrs. Not too bad. So you go into their wizard. The default is that the private key is generated by the CA! Which means this product is not (securely) usable for multiple users in an organization. Most of them will probably leak their private key. * CACert: Free and open source. Probably still struggling (the server is extremely slow). Surprisingly, the CAcert root CA is known by Chromium/Linux but not by TB/Linux (stock Thunderbird on Ubuntu 12.04). * Entrust: pricing is only for US, UK and Canada. Other customers are referred to a small number of resellers (none for my geography). They still let you order the cert though. And then surprise! The $20 price that appears on the "Buy Now" page turns into $30 when you complete filling the form. This covers all I could find on the first 4 Google search pages for "email certificates". I will try again in a year or two. Thanks, Yaron
- [perpass] Why Yaron can't encrypt: S/MIME in the … Yaron Sheffer
- Re: [perpass] Why Yaron can't encrypt: S/MIME in … Stephen Farrell
- Re: [perpass] Why Yaron can't encrypt: S/MIME in … Phillip Hallam-Baker
- Re: [perpass] Why Yaron can't encrypt: S/MIME in … Yaron Sheffer
- Re: [perpass] Why Yaron can't encrypt: S/MIME in … Phillip Hallam-Baker
- Re: [perpass] Why Yaron can't encrypt: S/MIME in … James Cloos
- Re: [perpass] Why Yaron can't encrypt: S/MIME in … Yaron Sheffer
- Re: [perpass] Why Yaron can't encrypt: S/MIME in … Karl Malbrain
- Re: [perpass] Why Yaron can't encrypt: S/MIME in … Yaron Sheffer
- Re: [perpass] Why Yaron can't encrypt: S/MIME in … Paul Wouters
- Re: [perpass] Why Yaron can't encrypt: S/MIME in … Carl Wallace
- Re: [perpass] Why Yaron can't encrypt: S/MIME in … James Cloos