[Cryptography] Any S/MIME or PGP for normal people

Viktor Dukhovni cryptography at dukhovni.org
Thu May 14 16:25:52 EDT 2015


On Wed, May 13, 2015 at 10:56:06PM -0000, John Levine wrote:

> An acquainance of mine would like to set up some sort of message
> signing within a small business to make it easier for the staff to
> recognize real mail among each other.  I told him I'm not aware of any
> non-toy installations that aren't either in the government or a giant
> business that can mandate specific S/MIME software and configure it to
> use their favorite CA, or else a bunch of crypto nerds.

S/MIME on MacOS/X (Mail.app) works rather transparently after
initially accepting a cert as valid for a given correspondent, that
trust setting is saved in the user's Keychain.  Similarly the user's
signing/decryption key is saved in the Keychain.

After that you just send and receive mail as usual.  The remaining
key management problem is enabling users to generate keys or providing
them with PKCS#12 files to import.

One can also deploy trusted CAs into the System Keychain.

IIRC Windows S/MIME support tends to frown on TOFU PKI, and I don't
think that with Outlook et. al. it is possible to trust a given
cert for a given correspondent.  There one does need a corporate
CA, and I don't recall how easy it is to sign or decrypt mail.

-- 
	Viktor.


More information about the cryptography mailing list