User-Agent: Opera/9.62 (Windows NT 5.1; U; cs) Presto/2.1.1 Build Identifier: Mozilla Thunderbird v 22.214.171.124 (20081105) Some recipients use a certificate to sign messages but they need a different certificate to be used to encrypt mails for them. Some recipients use a certificate without e-mail address. Some recipients use more email addresses but they have only 1 certificate with 1 email address which should be used to encrypt messages for all their identities. The TB choose a certificate to encrypt automatically by recipient´s email address but there is no way to assign a certificate to the person manually selecting it. Reproducible: Always Steps to Reproduce: 1a. Try to write a S/MIME encrypted mail to a recipient with other email address then his certicicate contains. 1b. Or, try to send 2x an encrypted mail to a person with 2 public certificates with the same email address and use different certificate to encrypt the message. Actual Results: 2a. Cannot send an encrypted message. 2b. You cannot choose the certificate to encrypt the message. It is set automatically by Thunderbird. Expected Results: Possibility to set manually the certificate for encryption for the concrete recipient.
Matching certs with emails can be tricky. As noted above, some people don't have email addresses in their certs. There was talk of moving some cert-based functionality into the Address Book, but that's more complex these days given integration with the OS's Address Book (at least on some platforms).
Status: UNCONFIRMED → NEW
Component: Security → Security: S/MIME
Ever confirmed: true
Product: Thunderbird → MailNews Core
QA Contact: thunderbird → s.mime
And more, Thunderbird sometimes cannot find an appropriate certificate for encryption though it is installed (!!!) - I see it after an old certificate expiration e.g. And now there is no possibility to send an encrypted email at all! That means manual selection of certificate would be need.
E.g., the Enigmail extension has a well working way to set a key for the encryption manually (per recipient rules...)
I am sorry Thunderbird is completely stupid when it has an expired certificate for a contact and you want to use a new one. Not only did not recognize him right offer new certificate. If you want to make sure the new certificate, it is sometimes necessary to delete the certificates file (cert8.db) and let it create it again (with the troublesome manual renewal of all used certificates)!
I believe this has been fixed with bug 596221. Yes, our code had a bug that failed to find an existing good cert, and might have stopped when seeing a matching, but invalid cert. You could try "earlybird", a nightly test build of Thunderbird, to confirm that it's fixed. If confirmed, this should be marked as a dupe of 596221.
You need to log in before you can comment on or make changes to this bug.