[dev] Client side message signing

[ArkadiuszGóralski]

Hi,

I've hacked IMP and Horde, so it is now possible to compose a message and sign 
it on the client side with a x509 certificate. It works in IE >=5.5 and it's 
using MS Capicom 2.0 library, the signing part is done in VBS. It (message 
signing) can be used in institutions where roaming profiles are used, the 
certificate can also be stored on a crypto card or on a USB token. So you can 
take your token and use it elsewhere (as long as the drivers are installed).

When you open such message in Outlook it looks like a normal, signed message.

I can submit a patch at the end of this week so you can see it in action. As i 
understand i should patch it against CVS version?

But there's a problem when the message contains attachments. For example when 
we want to sign a message with 2MB word document we have to:
-> send the attachement to server,
-> include the attachment in compose window (hidden) base64 encoded (so it'll 
grow),
-> compose the multipart mime message so the user can sign it (but IMP 
composes the message after submittin the form, here it must be done earlier - 
the user must sign the multipart message),
-> send the message (only the message and the signature is needed since the 
atachment is already on the server)

So when using attachments there's additional traffic :( and you have to 
compose the mime and put it in hidden textarea for signing.

I whould like to hear your opinions. Do you think that client side message 
signing is worth including in IMP?

Regards,
Arkadiusz Goralski: agoralski at certum.pl