Menu
▾
▴
[Openca-Users] Re: S/MIME and free certification
|
From: Massimiliano P. <ma...@ha...> - 2001-06-22 09:24:37
|
Meessen Christophe wrote:
>
> Hello,
Hi,
[...]
> Apparently Outlook express has build-in support for signed mails but
> requires some identification and directs to VerySign and this is not
> free as you know. I can't impose people to pay some unknown company to
> be allowed to mail on my list although I want to impose that people
> submitting to the list are clearly identified at least to the list
> manager.
You don't have to.
[...]
> Imposing to sign contribution would force people to take the
> responsibility of what they say.
I agree with you.
> I am trying to figure out how this signature thing is working and it is
> not very clear. I had the impression that the OpenCA could help me in
> providing the PKI infrastructure I would like to use for may mail list
> server.
That's exactly what OpenCA is for: providing the software to run a PKI.
> Do the clients (S/MIME) need to verify every message certification by
> checking at the certification centre ?
No. After the clients have imported their own certificate and the CA's
certificate (only once) they can verify any signatures from certificates
issued by your CA without having to contact the PKI servers -- there
are some situation when you'll want to setup an OCSP (OnLine Certificate
Status Protocol) where checking the signatures is EXTREMELY important
(i.e. Financial Transactions, Contracts Signing, etc... ) but this is
not your case.
> If I use OpenCA to provide certification so that people using Outlook
> express or Mozzilia, do I need to certify my certification service by
> VeriSign ? Will they accept that if I want to run a cheap and hopefully
No, you don't have to. The users will have only to import the CA's
certificate before asking for a certificate, nothing more.
> free signature checking system ? Would I end up having to pay for
> security ? Our mailing list is a purely non profit application. What
> would there be a free solution ?
You can install the OpenCA software on your server and provide free certificates
to your users. You'll have to read something about the PKI structures
as there is not much docs coming with the project (I don't have time to
write a good one -- but I will, sometimes... )
> I understood that the Certification Authority is issuing the electronic
> equivalent of passports. This has to be very secure and done off network
This depends on your "Policy". You can state the certificates are only
to be used by the list subscribers and that you are not liable for misuse
of your certificates ... and that's should be enough. You can require
a valid identification method as well as only checking the e-mail address,
this is up to you.
One thing that MUST be clear is what you are going to provide to your
users and this information MUST be available publicly, that's important.
> and manually for obvious security reasons. But how does one check the
> certificates ? Do we have to send a request to the CA ? Must this be
> done manually ?
No, you can check one certificate having all the certificates from the
"root" CA ( one certificate self-signed ) to the certificate's issuing CA.
Root CA
|
v
Middle CA (if any)
|
v
Issuing CA
|
v
User Certificate
This is a certification Chain where having all the CAs certificates till
the user's cert will enable you to check his/her signatures.
In case of a self-signed certificate for your CA, the only step are the
RootCA->User Certificate so the users will have to have only the CA's
cert and the signer's cert (this is usually sent together with the signature)
to verify the signature.
Hope this helps.
--
C'you,
Massimiliano Pala
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] ma...@op...
ma...@ha...
http://www.openca.org Tel.: +39 (0)59 270 094
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365 |