?

Log in

No account? Create an account

November 30th, 2012

fedora 蓝色小药丸

My tweets


有个不太明白的地方,是为什么必须双方都有 "Digital ID" 以后,才可以发S/MIME加密邮件。按理说,乙方拿到甲方的 public key 以后,加密是不需要自己有key的。Wikipedia 说
While it is technically possible to send a message encrypted (using the destination party certificate) without having one's own certificate to digitally sign, in practice, the S/MIME clients will require you install your own certificate before they allow encrypting to others.
...
Due to the requirement of a certificate for implementation, not all users can take advantage of S/MIME, as some may wish to encrypt a message, with a public/private key pair for example, without the involvement or administrative overhead of certificates.
所以很疑惑。这篇文章写得清楚的地方是 1. 通常需要为 signing 和 encrypt 准备不同的 key,其中 encrypt key 可以经常换换; 2. 客户端软件通常都要手动地把对方加为联系人。

MSDN article: Understanding S/MIME
StackExchange: How does PGP differ from S/MIME
Entrust FAQ: Do both parties need an cert to communicate?
Both parties need an X.509 cert (public or private, any vendor). Encryption — both parties should need an x.509 s/mime cert. Signing — only the signer needs a cert, the verifier doesn't.
文件格式: 从 Firefox Penango 导出的 personal key backup 是 .p12 扩展名,可以导入 Outlook; 一种邮件附件是 .p7s 扩展名,表示已经签名;另一种邮件附件是 .p7m 扩展名,表示已经加密。
[Content-Type]
Content-Type: application/pkcs7-signature; name="Verify This Message with Penango.p7s"
Content-Disposition: attachment; filename="Verify This Message with Penango.p7s"

Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
Content-Disposition: attachment; filename="smime.p7m"