[unisog] S/MIME Key Management

Mike Wiseman mike.wiseman at utoronto.ca
Fri Nov 4 16:50:42 GMT 2005

>  You really need access to something that can generate
>  keys and be a CA that is trusted by all concerned and
>  can manage adding and revoking certs as well. Eudora 6,
>  it should be noted, has a particuarly short list of
>  trusted CA's and doesn't use the trusted CA lists built
>  into operating systems. Netscape/Mozilla/Thunderbird also
>  have their own built-in internal trusted CA's but the list
>  is at least similar to the ones found in Windows and MacOS.
>  For some uses, we use CAcert.org, which is as close to a common
>  non-commercial key provider I know about. They are fast, free
>  and easy to work with but you have to add them as a trusted
>  CA manually on every single machine....sometimes more than
>  once (Once for the system, Once for Thunderbird, etc.).
>  Many Universities set up their own CA but you have to add
>  those certs manually as well and then add the Universities of
>  everyone else, not to mention the framework to give and revoke
>  hundreds or thousands of individual certs. CAcert is a more
>  elegant choice if you trust them.
>  My understanding is that one qualification to be included
>  in Windows/MacOSs as a default CA is a rather large check
>  so I wouldn't hold me breath for default inclusion by free
>  CA's any time soon.

I also looked into the ability to have a commercial CA sign our institutional intermediate 
CA cert so that our user and server certs would be trusted by client apps. Indeed it's 
expensive and a lot of effort meeting the policy requirements of the CA. I'd be interested 
to hear if others are doing a combination of reselling commercial CA products and running 
a self-signed CA. The reselling service would serve those needing SSL server certs and 
S/MIME certs for external facing email. The internal CA would be used for user 
authentication and encryption apps.


Mike Wiseman
Computing and Networking Services
University of Toronto 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4099 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20051104/2b58516e/smime.bin

More information about the unisog mailing list