Closed Bug 590915 Opened 14 years ago Closed 14 years ago

Provide recognized certs for signing email

Categories

(Mozilla Messaging Graveyard :: Office, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: Usul, Unassigned)

Details

The currents certs that we have are self-signed by a Momo authority. The public cert for that authority is not provided by default in the mozilla cert store. So when we sign emails with our certs they are not fully recognized on the recipient side unless they have our public root certificate in their store. Could we get certificate signed by a Root ca that is present in Mozilla's default cert store ? filed in office, but could also be in security.
(In reply to comment #0) > The currents certs that we have are self-signed by a Momo authority. The public > cert for that authority is not provided by default in the mozilla cert store. > So when we sign emails with our certs they are not fully recognized on the > recipient side unless they have our public root certificate in their store. That's correct, and we certainly could put that CA somewhere easy for folks to download. > Could we get certificate signed by a Root ca that is present in Mozilla's > default cert store ? Yes, but we'd have to go to one of the big CAs (Thawte, Verisign, etc) and pay to get each individual's certs signed...
(In reply to comment #1) > (In reply to comment #0) > > The currents certs that we have are self-signed by a Momo authority. The public > > cert for that authority is not provided by default in the mozilla cert store. > > So when we sign emails with our certs they are not fully recognized on the > > recipient side unless they have our public root certificate in their store. > > That's correct, and we certainly could put that CA somewhere easy for folks to > download. I was unable to find out if there were best practice to do that, with know urls for both the root certs and CRLs. Bob do you know if there are such documents ( a quick google search revealed nothing) > > Could we get certificate signed by a Root ca that is present in Mozilla's > > default cert store ? > > Yes, but we'd have to go to one of the big CAs (Thawte, Verisign, etc) and pay > to get each individual's certs signed... Any idea how much that would cost per person/per year ?
Why not use free class one s/mime certificates from comodo or startcom as a interim solution while waiting for CACERT to become auditable (they seem to be making progress)? My impression is that you normally only have to pay for higher security certificates (that verify who you are, rather than just what email address was used), or for certificates for sites. That has the added advantage of you eating the same dogfood as most users. http://blog.cacert.org/ https://bugzilla.mozilla.org/show_bug.cgi?id=215243 (see 158)
(In reply to comment #1) > (In reply to comment #0) > > The currents certs that we have are self-signed by a Momo authority. The public > > cert for that authority is not provided by default in the mozilla cert store. > > So when we sign emails with our certs they are not fully recognized on the > > recipient side unless they have our public root certificate in their store. > > That's correct, and we certainly could put that CA somewhere easy for folks to > download. Could we move on with that option ? as I would then just link to the certs in my emails ...
Should be on http://trunk.mozillamessaging.com/cacert.pem soon. Will make itself public on www.mozillamessaging.com during the next merge window.
Url will be : /cacert.crt as it seems to be a more common file extension.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.