> Am 28.11.2018 um 00:47 schrieb Alice Wonder <alice@xxxxxxxxxxxxxx>:
>
> On 11/27/2018 03:33 PM, Gordon Messmer wrote:
>> On 11/25/18 5:35 AM, Alice Wonder wrote:
>>> The "free for personal" S/MIME from Comodo didn't work. Browser said it did but there was nothing to export for me to then import. I suspect it is because I used private browser window,
>> Probably, yes. I've used that service in the past without issue.
>>> I really don't like the idea of a private key stored in browser anyway. And it never asked for a password to encrypt the private key
>> Setting a password will protect all of the certificates stored by Firefox. Select: Preferences -> Privacy and Security -> Security Devices (under Certificates) -> Software Security Device -> Change password
>> Chrome may have a similar option, but I don't see it and I don't see documentation for it.\
>>> nor let me specify key strength (only let me choose between medium and high - I assume high is 4096 but I don't know, it didn't say)
>> There's very little harm in getting a certificate and examining it to find out. You can destroy it later with no ill effect.
>
> I actually went for a more complex scenario, I've created my own CA complete with CRL.
>
> It's nice because with S/MIME you really want two certs - one for signing (where ecdsa can be used) and one for when you need to receive encrypted. And I have multiple e-mail accounts I want to do thus with.
>
> Could have done self-signed too but this at least allows me to revoke if a device like laptop or phone w/ private key is stolen.
>
> Does mean those who want to confirm my messages have to import my root key but that's for them to decide.
>
> Web browsers are applications that exist for the explicit purpose of downloading and executing untrusted code. It does not seem like that is a very wise environment to use for generating long term cryptography keys. It really doesn't.
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
Well, your own CA’s certificates are basically self-signed.
It’s of course a free country and you can do what you want - but in your case, you could just as well use GPG and be done with it. You could place your GPG public key where your root-certificate is placed and people could download and import that public key.
The point of S/MIME is that there is a central authority to validate the owners of the certificates and no peer-to-peer fingerprint checking etc. a la GPG/PGP is needed.
It does have better native support in MUAs, I’ll give you that.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
