If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Easier email security keys using DNSSEC and LDAP

NEW
Unassigned

Status

MailNews Core
Security: S/MIME
--
enhancement
15 years ago
8 years ago

People

(Reporter: David A. Wheeler, Unassigned)

Tracking

1.0 Branch
x86
Linux

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: dupeme)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830

Currently, it's non-trivial to get keys securely exchanged to get
encryption and authentication - wouldn't it be better if it could done
completely automatically?

The article http://www.dwheeler.com/essays/easy-email-sec.html
describes in detail how to securely get keys for email.
All you need is the email address of a user, and you can automatically
sign, encrypt, decrypt, and authenticate.  It
requires DNSSEC (DNS Security), and LDAP deployed to do this.
However, it doesn't require universal deployment; even just DNSSEC
deployed on the root name servers + a few other sites, and LDAP for
key distribution on critical sites (such as CERT), would be helpful.


Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

15 years ago
S/MIME. We're working on getting LDAP cert fetching to work.
Assignee: mstoltz → ssaux
Status: UNCONFIRMED → NEW
Component: Security: General → S/MIME
Ever confirmed: true
Product: MailNews → PSM
QA Contact: junruh → carosendahl
Whiteboard: dupeme
Version: other → 2.4

Comment 2

15 years ago
You're build is older, but should have ldap cert retrieval working.  If not,
please upgrade to the latest 1.2 build.  We have tested this feature to work
with both SSL and non-SSL LDAP servers.  Configure your address book to use your
directory server and cert retrieval will work automatically.

Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 3

15 years ago
But that will only work if the local LDAP server actually has all
the certificates and/or CAs configured for the recipients, correct?
That has a scaling problem - it means that I have to constantly
reconfigure my LDAP server for the certificates of everyone
I communicate with, even if I haven't communicated with them before.

What I'm looking for is an automatic checked-for-security trace,
through DNSSEC, to find the _REMOTE_ CA and _automatically_ get
the other parties' certificates.
That way, once someone has configured their DNS server, I can
immediately find all other certificates exported by all other
organizations without re-configuring their local LDAP servers.
Note that this means that an LDAP server has to be configured to
export the certificates of its local workforce
(e.g., ldap.mega.com  has to export the certificate of
dwheeler@mega.com), and then everyone can follow the DNSSEC
trace to ensure that they really got the value stored at
ldap.mega.com.

This is, to my knowledge, NOT supported by current standards,
though of course I could be wrong about that.

Comment 4

15 years ago
reopening and leaving as an enhancement request.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

Comment 5

14 years ago
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
Status: REOPENED → NEW

Updated

13 years ago
Component: Security: S/MIME → Security: S/MIME
Product: PSM → Core
QA Contact: carosendahl → s.mime

Updated

9 years ago
Version: psm2.4 → 1.0 Branch

Updated

9 years ago
Component: Security: S/MIME → Security: S/MIME
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.