Fw: [pki-tc] Extranet S/MIME?

["Chung-Ming Ou" <cou@cht.com.tw>]

Dear Arshad:
   Thanks for the coments, yes, Cross certificate is just one of the many
feasible ways to set up the TRUST between different PKI domains. There are
lots of ways to set up such trust relationship, not necessarily by Cross
certification.
    Thanks for the comments again.
 best regards,


> 歐崇明(Chung-Ming Ou, Ph.D.)
> 中華電信研究所8F0專案
> Project 8F0 (Public Key Infrastructure & Information Security)
> Telecommunication Laboratories
> Chunghwa Telecom. Co.,Ltd.
> TEL: + 886 3 4245879
> MO: +886 928211042
> FAX: + 886 3 4244147
>
>
> ----- Original Message ----- 
> From: "Arshad Noor" <arshad.noor@strongauth.com>
> To: "Chung-Ming Ou" <cou@cht.com.tw>
> Cc: <pki-tc@lists.oasis-open.org>
> Sent: Thursday, January 06, 2005 10:49 AM
> Subject: Re: [pki-tc] Extranet S/MIME?
>
>
>> Chung-Ming,
>>
>> While having the right certificate profile is essential for S/MIME,
>> there is no need for the issuance of cross-certificates between PKI
>> domains, for S/MIME to work.  As long as the receiving side has the
>> certificate-chain for digitally signed messages, the signature can
>> be verified even in the absence of cross-certification.
>>
>> For encrypted S/MIME, even the certificate-chain is unnecessary, as
>> long as you, the sender, trust that the public key in the certificate
>> (you're using to do the encryption) belongs to the person you want to
>> send the encrypted message to.  Not ideal; perhaps, not even elegant,
>> but it works.
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> Chung-Ming Ou wrote:
>>> Thanks for Arshad's comments.
>>>  From the test experience of Asia PKI Form Interoperability WG, once the 
>>> certificate profiles are agreed and comply with the way Windows OS 
>>> handling with certificates and CRLs, and plus different PKI domains 
>>> issue cross certificates each other, S/SMINE (we use outlook express) is 
>>> OK.
>>>
>>> 歐崇明(Chung-Ming Ou, Ph.D.)
>>> 中華電信研究所8F0專案
>>> Project 8F0 (Public Key Infrastructure & Information Security)
>>> Telecommunication Laboratories
>>> Chunghwa Telecom. Co.,Ltd.
>>> TEL: + 886 3 4245879
>>> MO: +886 928211042
>>> FAX: + 886 3 4244147
>>>
>>>
>>> ----- Original Message ----- From: "Arshad Noor" 
>>> <arshad.noor@strongauth.com>
>>> To: <licather@wellsfargo.com>
>>> Cc: <pki-tc@lists.oasis-open.org>
>>> Sent: Thursday, January 06, 2005 10:12 AM
>>> Subject: Re: [pki-tc] Extranet S/MIME?
>>>
>>>
>>>> Catherine,
>>>>
>>>> Encryption in S/MIME works counter-intuitively to what one expects -
>>>> the decryption of encrypted S/MIME messages does not require the
>>>> sender to have a digital certificate at all (he/she does need to
>>>> have the RECIPIENT's certificate though, to encrypt the message in
>>>> the first place).  The recipient need only have the private key to
>>>> their encryption certificate to decrypt the S/MIME contents.
>>>>
>>>> If your goal is only encrypted S/MIME, then you do need to setup a
>>>> repository (typically, an LDAP directory) where the encryption cert
>>>> of the recipient is available to senders.  If setting up such a
>>>> repository is not feasible, an alternate way to ensure that senders
>>>> have the recipients' encryption certificate is to have the recipients
>>>> send a digitally signed e-mail to all senders.  This automatically
>>>> sends the the signers' digital certificates in the S/MIME object.
>>>> Compliant S/MIME tools - such as Netscape's Messenger, Outlook
>>>> Express, (haven't tested Thunderbird yet - but will probably work)
>>>> will automatically import the senders' digital certificates into the
>>>> local address book.
>>>>
>>>> The next time the sender wants to send the recipient an encrypted
>>>> message, the recipients' encryption cert will already be available
>>>> to them locally to perform the encryption, thus obviating the need
>>>> to access a repository for the encryption cert.
>>>>
>>>> Hope that helps.
>>>>
>>>> Arshad Noor
>>>> StrongAuth, Inc.
>>>>
>>>> licather@wellsfargo.com wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>>  I'm seeking expert opinions and recommendations how to support S/MIME 
>>>>> communications in an extranet. Specially, decrypting an encrypted 
>>>>> email from another company, i.e., the recipient needs to get hold of 
>>>>> the certificate of the email author’s. Does that mean, there needs to 
>>>>> be an extranet directory service to facilitate obtaining certificates? 
>>>>> If not, what service needs to be setup to facilitate that?    Thank 
>>>>> you in advance,
>>>>>
>>>>> Catherine Li
>>>>>
>>>>> CAST PKI Development
>>>>>
>>>>> Wells Fargo Services
>>>>>
>>>>> Office:   415.243.6228
>>>>>
>>>>> Fax:      415.975.6780
>>>>>
>>>>> MAC:    A0186-056
>>>>>
>>>>> Email:   licather@wellsfargo.com
>>>>>
>>>>>  This message may contain confidential and/or privileged information. 
>>>>> If you are not the addressee or authorized to receive this for the 
>>>>> addressee, you must not use, copy, disclose, or take any action based 
>>>>> on this message or any information herein.  If you have received this 
>>>>> message in error, please advise the sender immediately by reply e-mail 
>>>>> and delete this message.  Thank you for your cooperation.
>>>>>
>>>>
>>>>
>>>> To unsubscribe from this mailing list (and be removed from the roster 
>>>> of the OASIS TC), go to 
>>>> http://www.oasis-open.org/apps/org/workgroup/pki-tc/members/leave_workgroup.php.
>>>>
>>>
>>>
>>>
>>> To unsubscribe from this mailing list (and be removed from the roster of 
>>> the OASIS TC), go to 
>>> http://www.oasis-open.org/apps/org/workgroup/pki-tc/members/leave_workgroup.php.
>>
>>
>> To unsubscribe from this mailing list (and be removed from the roster of 
>> the OASIS TC), go to 
>> http://www.oasis-open.org/apps/org/workgroup/pki-tc/members/leave_workgroup.php.
>>
>>
>