ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Are certificates _required_ by the sender?

2002-05-15 07:25:53
from [Housley, Russ] [Permanent Link] 

Ben & Craig:

This is appropriate behavior.  RFC 2633, in section 3.3, says:

   ...  In addition to encrypting a copy of
   the content-encryption key for each recipient, a copy of the content
   encryption key SHOULD be encrypted for the originator and included in
   the envelopedData (see CMS Section 6).

Russ


At 09:41 AM 5/9/2002 +1200, Craig McGregor wrote:


Hi Ben,

Although I have not tested this theory, I suspect it is so that it can
encrypt the message both for the recipient and sender. Otherwise the
sender could not read their message from their sent items folder without
access to the recipients private key - which of course is a no-no!

Nothing in the S/MIME RFC's says you _have_ to have one. You should be
able to happily encrypt but not sign e-mail without one. Practicalities
mean for certain functionality in clients it may be necessary to have
your own certificate.

--
Craig McGregor
Security Specialist
IT Systems                      http://e.govt.nz/see/mail
The Treasury            http://www.treasury.govt.nz




-----Original Message-----
From: Ben Littauer [mailto:littauer(_at_)blkk(_dot_)com]
Sent: Thursday, 9 May 2002 4:08 a.m.
To: ietf-smime(_at_)imc(_dot_)org
Subject: RE: Are certificates _required_ by the sender?



Interesting you should ask this right now.  I don't believe that there
is
any S/MIME requirement that says that the sender needs a cert.  That
said,
however, MS Outlook DOES require that you have a cert before it will let
you
encrypt a message on someone else's cert that you've received.  Does
anyone
know why this is?

-ben-

-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Terje 
Tollisen
Sent: Wednesday, May 08, 2002 5:26
To: ietf-smime(_at_)imc(_dot_)org
Subject: Are certificates _required_ by the sender?



Is the sender of an email required to have a certificate, or is it
sufficient for the sender to have a copy of the certificate of the
recipient? I am thinking of an automated system, where one party will
always
be the sender, and never receive emails. In addition, no signatures are
required. Thus nobody will ever actually need the public key for the
automated system. However, I'm uncertain if the sender can send S/MIME
messages without having a certificate of it's own.

Thanks for your time
-Terry Tollisen

--
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Are certificates _required_ by the sender?, Housley, Russ
Next by Date:  Re: Protecting fields via message/rfc822 and merging issues, Housley, Russ
Previous by Thread:  RE: Are certificates _required_ by the sender?, Craig McGregor
Next by Thread:  Next Draft of Proposed Charter, Housley, Russ
Indexes:  [Date] [Thread] [Top] [All Lists]