On Friday, 18 January 2019 05:45:11 CET Jakob Bohm via openssl-users wrote: > On 16/01/2019 21:25, Viktor Dukhovni wrote: > >> On Jan 15, 2019, at 10:29 AM, Eliot Lear <lear@xxxxxxxxxxxxxxxxxxx> > > The naïve model of using the signer and recipient keys as long-term > > verification and decryption keys is deeply flawed for data retention. > > This is a bit part of the reason why end-to-end email encryption has > > negligible adoption, the storage infrastructure to make it usable was > > never built. > > As explained above, most of that storage infrastructure is in > fact in place, but the major e-mail clients lack the code to use > it. For example the "openssl cms" command (used by some unix mail > clients, such as Mutt) doesn't have an option to specify the "as of" > date extracted from an external trusted source. it does in newer versions (it is definitely present in 1.1.0i): -attime intmax verification epoch time > Nor does it have > an option to input a recorded OCSP response or CRL to be validated > and used according to that "as of" date. that's true -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
