[unisog] S/MIME Key Management
mike.wiseman at utoronto.ca
Fri Nov 4 16:50:42 GMT 2005
> You really need access to something that can generate
> keys and be a CA that is trusted by all concerned and
> can manage adding and revoking certs as well. Eudora 6,
> it should be noted, has a particuarly short list of
> trusted CA's and doesn't use the trusted CA lists built
> into operating systems. Netscape/Mozilla/Thunderbird also
> have their own built-in internal trusted CA's but the list
> is at least similar to the ones found in Windows and MacOS.
> For some uses, we use CAcert.org, which is as close to a common
> non-commercial key provider I know about. They are fast, free
> and easy to work with but you have to add them as a trusted
> CA manually on every single machine....sometimes more than
> once (Once for the system, Once for Thunderbird, etc.).
> Many Universities set up their own CA but you have to add
> those certs manually as well and then add the Universities of
> everyone else, not to mention the framework to give and revoke
> hundreds or thousands of individual certs. CAcert is a more
> elegant choice if you trust them.
> My understanding is that one qualification to be included
> in Windows/MacOSs as a default CA is a rather large check
> so I wouldn't hold me breath for default inclusion by free
> CA's any time soon.
I also looked into the ability to have a commercial CA sign our institutional intermediate
CA cert so that our user and server certs would be trusted by client apps. Indeed it's
expensive and a lot of effort meeting the policy requirements of the CA. I'd be interested
to hear if others are doing a combination of reselling commercial CA products and running
a self-signed CA. The reselling service would serve those needing SSL server certs and
S/MIME certs for external facing email. The internal CA would be used for user
authentication and encryption apps.
Computing and Networking Services
University of Toronto
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4099 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20051104/2b58516e/smime.bin
More information about the unisog