User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830 Currently, it's non-trivial to get keys securely exchanged to get encryption and authentication - wouldn't it be better if it could done completely automatically? The article http://www.dwheeler.com/essays/easy-email-sec.html describes in detail how to securely get keys for email. All you need is the email address of a user, and you can automatically sign, encrypt, decrypt, and authenticate. It requires DNSSEC (DNS Security), and LDAP deployed to do this. However, it doesn't require universal deployment; even just DNSSEC deployed on the root name servers + a few other sites, and LDAP for key distribution on critical sites (such as CERT), would be helpful. Reproducible: Always Steps to Reproduce: 1. 2. 3.
S/MIME. We're working on getting LDAP cert fetching to work.
You're build is older, but should have ldap cert retrieval working. If not, please upgrade to the latest 1.2 build. We have tested this feature to work with both SSL and non-SSL LDAP servers. Configure your address book to use your directory server and cert retrieval will work automatically.
But that will only work if the local LDAP server actually has all the certificates and/or CAs configured for the recipients, correct? That has a scaling problem - it means that I have to constantly reconfigure my LDAP server for the certificates of everyone I communicate with, even if I haven't communicated with them before. What I'm looking for is an automatic checked-for-security trace, through DNSSEC, to find the _REMOTE_ CA and _automatically_ get the other parties' certificates. That way, once someone has configured their DNS server, I can immediately find all other certificates exported by all other organizations without re-configuring their local LDAP servers. Note that this means that an LDAP server has to be configured to export the certificates of its local workforce (e.g., ldap.mega.com has to export the certificate of email@example.com), and then everyone can follow the DNSSEC trace to ensure that they really got the value stored at ldap.mega.com. This is, to my knowledge, NOT supported by current standards, though of course I could be wrong about that.
reopening and leaving as an enhancement request.
Mass reassign ssaux bugs to nobody