RE: [pki-tc] Extranet S/MIME?

[<licather@wellsfargo.com>]

Thanks Arshad! Correction from me... I meant sender needs to get
recipient's certificate in order to encrypt the email. Sorry about the
confusion.

We've explored both options you suggested, i.e., setting up a LDAP
server (for publishing certificates of the recipient's) or having
exchanging signed emails (proved to be not too scalable). I'm hoping to
find a more elegant solution that these two. Thoughts?

Thanks,
Catherine Li 
CAST PKI Development 
Wells Fargo Services 
Office:   415.243.6228 
Fax:      415.975.6780 
MAC:    A0186-056 
Email:   licather@wellsfargo.com 

This message may contain confidential and/or privileged information.  If
you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based on
this message or any information herein.  If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message.  Thank you for your cooperation.


-----Original Message-----
From: Arshad Noor [mailto:arshad.noor@strongauth.com] 
Sent: Wednesday, January 05, 2005 6:12 PM
To: Li, Catherine
Cc: pki-tc@lists.oasis-open.org
Subject: Re: [pki-tc] Extranet S/MIME?

Catherine,

Encryption in S/MIME works counter-intuitively to what one expects -
the decryption of encrypted S/MIME messages does not require the
sender to have a digital certificate at all (he/she does need to
have the RECIPIENT's certificate though, to encrypt the message in
the first place).  The recipient need only have the private key to
their encryption certificate to decrypt the S/MIME contents.

If your goal is only encrypted S/MIME, then you do need to setup a
repository (typically, an LDAP directory) where the encryption cert
of the recipient is available to senders.  If setting up such a
repository is not feasible, an alternate way to ensure that senders
have the recipients' encryption certificate is to have the recipients
send a digitally signed e-mail to all senders.  This automatically
sends the the signers' digital certificates in the S/MIME object.
Compliant S/MIME tools - such as Netscape's Messenger, Outlook
Express, (haven't tested Thunderbird yet - but will probably work)
will automatically import the senders' digital certificates into the
local address book.

The next time the sender wants to send the recipient an encrypted
message, the recipients' encryption cert will already be available
to them locally to perform the encryption, thus obviating the need
to access a repository for the encryption cert.

Hope that helps.

Arshad Noor
StrongAuth, Inc.

licather@wellsfargo.com wrote:
> Hi All,
> 
>  
> 
> I'm seeking expert opinions and recommendations how to support S/MIME 
> communications in an extranet. Specially, decrypting an encrypted
email 
> from another company, i.e., the recipient needs to get hold of the 
> certificate of the email author's. Does that mean, there needs to be
an 
> extranet directory service to facilitate obtaining certificates? If
not, 
> what service needs to be setup to facilitate that?    
> 
>  
> 
> Thank you in advance,
> 
> Catherine Li
> 
> CAST PKI Development
> 
> Wells Fargo Services
> 
> Office:   415.243.6228
> 
> Fax:      415.975.6780
> 
> MAC:    A0186-056
> 
> Email:   licather@wellsfargo.com
> 
>  
> 
> This message may contain confidential and/or privileged information.
If 
> you are not the addressee or authorized to receive this for the 
> addressee, you must not use, copy, disclose, or take any action based
on 
> this message or any information herein.  If you have received this 
> message in error, please advise the sender immediately by reply e-mail

> and delete this message.  Thank you for your cooperation.
> 


To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/pki-tc/members/leave_workgr
oup.php.