[dev] Client side message signing
ArkadiuszGóralski
agoralski at certum.pl
Tue Feb 25 13:00:51 PST 2003
Hi,
I've hacked IMP and Horde, so it is now possible to compose a message and sign
it on the client side with a x509 certificate. It works in IE >=5.5 and it's
using MS Capicom 2.0 library, the signing part is done in VBS. It (message
signing) can be used in institutions where roaming profiles are used, the
certificate can also be stored on a crypto card or on a USB token. So you can
take your token and use it elsewhere (as long as the drivers are installed).
When you open such message in Outlook it looks like a normal, signed message.
I can submit a patch at the end of this week so you can see it in action. As i
understand i should patch it against CVS version?
But there's a problem when the message contains attachments. For example when
we want to sign a message with 2MB word document we have to:
-> send the attachement to server,
-> include the attachment in compose window (hidden) base64 encoded (so it'll
grow),
-> compose the multipart mime message so the user can sign it (but IMP
composes the message after submittin the form, here it must be done earlier -
the user must sign the multipart message),
-> send the message (only the message and the signature is needed since the
atachment is already on the server)
So when using attachments there's additional traffic :( and you have to
compose the mime and put it in hidden textarea for signing.
I whould like to hear your opinions. Do you think that client side message
signing is worth including in IMP?
Regards,
Arkadiusz Goralski: agoralski at certum.pl
More information about the dev
mailing list