OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [pki-tc] Extranet S/MIME?


Since I'm not familiar with your operational or infrastructure
constraints, Catherine, it would be hard for me to appreciate
why the LDAP directory might be considered "inelegant".

However, assuming standard business & IT objectives - reduced
TCO, security, simplicity, etc. - in my experience, the LDAP
Directory solves many aspects of large scale PKI deployments:

1) PKI software vendors provide built-in tools to publish certs
    the the Directory, thus simplifying publishing;
2) Directories support TLS-based authentication (including client-
    auth), providing for strong authentication for writing into the
    Directory (ensuring highly restricted access for writing into
    the directory);
3) Directories are extensible - thus allowing you to incrementally
    add Authorization rules for applications, configuration data,
    user preferences, etc. while maintaining a single repository;
4) The LDAP protocol is integrated into many applications and
    application frameworks, simplifying future support requirements;
5) Directories support automatic replication, providing for high
    availability, even when you're not using clustering or other
    HA technology;
6) Directories support a rich ACI framework, providing significant
    levels of granularity in access control;
7) Directories are well understood in  the industry - from an
    operations, developers and security administrator's point of
    view - thereby reducing support costs; and last, but not least
8) Directories are cheap - free on many operating systems, as I'm
    sure you're aware :-)

So, unless there are specific constraints that make it difficult
in your implementation, I am hard-pressed to come up with a more
elegant solution for making encryption certs available to senders.
We've been using Directories for 5 years now in all the PKI's
we've implemented, and haven't run into any show-stoppers yet.

Hope that helps.

Arshad Noor
StrongAuth, Inc.

licather@wellsfargo.com wrote:
> Thanks Arshad! Correction from me... I meant sender needs to get
> recipient's certificate in order to encrypt the email. Sorry about the
> confusion.
> 
> We've explored both options you suggested, i.e., setting up a LDAP
> server (for publishing certificates of the recipient's) or having
> exchanging signed emails (proved to be not too scalable). I'm hoping to
> find a more elegant solution that these two. Thoughts?
> 
> Thanks,
> Catherine Li 
> CAST PKI Development 
> Wells Fargo Services 
> Office:   415.243.6228 
> Fax:      415.975.6780 
> MAC:    A0186-056 
> Email:   licather@wellsfargo.com 
> 
> This message may contain confidential and/or privileged information.  If
> you are not the addressee or authorized to receive this for the
> addressee, you must not use, copy, disclose, or take any action based on
> this message or any information herein.  If you have received this
> message in error, please advise the sender immediately by reply e-mail
> and delete this message.  Thank you for your cooperation.
> 
> 
> -----Original Message-----
> From: Arshad Noor [mailto:arshad.noor@strongauth.com] 
> Sent: Wednesday, January 05, 2005 6:12 PM
> To: Li, Catherine
> Cc: pki-tc@lists.oasis-open.org
> Subject: Re: [pki-tc] Extranet S/MIME?
> 
> Catherine,
> 
> Encryption in S/MIME works counter-intuitively to what one expects -
> the decryption of encrypted S/MIME messages does not require the
> sender to have a digital certificate at all (he/she does need to
> have the RECIPIENT's certificate though, to encrypt the message in
> the first place).  The recipient need only have the private key to
> their encryption certificate to decrypt the S/MIME contents.
> 
> If your goal is only encrypted S/MIME, then you do need to setup a
> repository (typically, an LDAP directory) where the encryption cert
> of the recipient is available to senders.  If setting up such a
> repository is not feasible, an alternate way to ensure that senders
> have the recipients' encryption certificate is to have the recipients
> send a digitally signed e-mail to all senders.  This automatically
> sends the the signers' digital certificates in the S/MIME object.
> Compliant S/MIME tools - such as Netscape's Messenger, Outlook
> Express, (haven't tested Thunderbird yet - but will probably work)
> will automatically import the senders' digital certificates into the
> local address book.
> 
> The next time the sender wants to send the recipient an encrypted
> message, the recipients' encryption cert will already be available
> to them locally to perform the encryption, thus obviating the need
> to access a repository for the encryption cert.
> 
> Hope that helps.
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> licather@wellsfargo.com wrote:
> 
>>Hi All,
>>
>> 
>>
>>I'm seeking expert opinions and recommendations how to support S/MIME 
>>communications in an extranet. Specially, decrypting an encrypted
> 
> email 
> 
>>from another company, i.e., the recipient needs to get hold of the 
>>certificate of the email author's. Does that mean, there needs to be
> 
> an 
> 
>>extranet directory service to facilitate obtaining certificates? If
> 
> not, 
> 
>>what service needs to be setup to facilitate that?    
>>
>> 
>>
>>Thank you in advance,
>>
>>Catherine Li
>>
>>CAST PKI Development
>>
>>Wells Fargo Services
>>
>>Office:   415.243.6228
>>
>>Fax:      415.975.6780
>>
>>MAC:    A0186-056
>>
>>Email:   licather@wellsfargo.com
>>
>> 
>>
>>This message may contain confidential and/or privileged information.
> 
> If 
> 
>>you are not the addressee or authorized to receive this for the 
>>addressee, you must not use, copy, disclose, or take any action based
> 
> on 
> 
>>this message or any information herein.  If you have received this 
>>message in error, please advise the sender immediately by reply e-mail
> 
> 
>>and delete this message.  Thank you for your cooperation.
>>
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of
> the OASIS TC), go to
> http://www.oasis-open.org/apps/org/workgroup/pki-tc/members/leave_workgr
> oup.php.
> 
> 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]