[Top] [All Lists]

RE: Are certificates _required_ by the sender?

2002-05-15 07:25:53

Ben & Craig:

This is appropriate behavior.  RFC 2633, in section 3.3, says:

   ...  In addition to encrypting a copy of
   the content-encryption key for each recipient, a copy of the content
   encryption key SHOULD be encrypted for the originator and included in
   the envelopedData (see CMS Section 6).


At 09:41 AM 5/9/2002 +1200, Craig McGregor wrote:

Hi Ben,

Although I have not tested this theory, I suspect it is so that it can
encrypt the message both for the recipient and sender. Otherwise the
sender could not read their message from their sent items folder without
access to the recipients private key - which of course is a no-no!

Nothing in the S/MIME RFC's says you _have_ to have one. You should be
able to happily encrypt but not sign e-mail without one. Practicalities
mean for certain functionality in clients it may be necessary to have
your own certificate.

Craig McGregor
Security Specialist
IT Systems            
The Treasury  

-----Original Message-----
From: Ben Littauer [mailto:littauer(_at_)blkk(_dot_)com]
Sent: Thursday, 9 May 2002 4:08 a.m.
To: ietf-smime(_at_)imc(_dot_)org
Subject: RE: Are certificates _required_ by the sender?

Interesting you should ask this right now.  I don't believe that there
any S/MIME requirement that says that the sender needs a cert.  That
however, MS Outlook DOES require that you have a cert before it will let
encrypt a message on someone else's cert that you've received.  Does
know why this is?


-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Terje 
Sent: Wednesday, May 08, 2002 5:26
To: ietf-smime(_at_)imc(_dot_)org
Subject: Are certificates _required_ by the sender?

Is the sender of an email required to have a certificate, or is it
sufficient for the sender to have a copy of the certificate of the
recipient? I am thinking of an automated system, where one party will
be the sender, and never receive emails. In addition, no signatures are
required. Thus nobody will ever actually need the public key for the
automated system. However, I'm uncertain if the sender can send S/MIME
messages without having a certificate of it's own.

Thanks for your time
-Terry Tollisen

Sign-up for your own FREE Personalized E-mail at

<Prev in Thread] Current Thread [Next in Thread>