ietf-smime
[Top] [All Lists]

Re: (Practical) S/MIME certificate chain handling

2003-07-04 09:16:08

On Mon, Jun 30, 2003 at 03:40:01PM -0700, Blake Ramsdell wrote:

-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Julien 
Stern
Sent: Monday, June 30, 2003 3:35 AM
To: Blake Ramsdell; jimsch(_at_)exmsft(_dot_)com; 
ietf-smime(_at_)imc(_dot_)org
Subject: Re: (Practical) S/MIME certificate chain handling

I believe that most clients transmit the certificate chain (not
including the root) today.

To the best of my knowledge, Outlook does not, and it has 
quite a large
market share ... (Although, I'd be happy to know how to make 
it do so if
there is a way ;) ).

Outlook 2002 sends all the certificates in the chain (I just verified
this).  When Jim Schaad wrote the code way back in something like
Outlook 97, I'm fairly certain that it sent all the certificates also.
This could very well be a case of misconfiguration of some sort, and I'd
be happy to work through it with you offline.  The early S/MIME
implementations all understood the utility of this, and included the
certificates for exactly the reasons that you cite.

We did a bit of research, and it seems that, for Outlook, if
intermediate certificates are stored in the local machine stores, they
are indeed sent. However, if these certificates are stored in the user
stores (the ones in the user profile) they are not sent, despite the
fact the chain is correctly reconstructed. This behavior is different
from the one in Outlook Express.

[many things regarding automatic verification snipped]

Regarding the rest of this thread, thanks to all for your enlightening
replies. I guess I'll take the pragmatic approach and attempt to focus
on the settings that actually work ;) And hopefully, at some point, I
will have the insurance that, given the extensions in my chain of cert,
and the available servers, _any_ S/MIME compliant receiver will indeed
be able to verify everything automatically, including revocation...

--
Julien

<Prev in Thread] Current Thread [Next in Thread>