[imp] PGP and S/MIME

[Arkadiusz Goralski]

Hi,

Thursday, May 9, 2002, 12:12:58 AM, you wrote:

CG> Hmm.  IMP is useful for when you only have a browser, and it's not your
CG> computer;  therefore, you don't have your keys locally.  If you do (let's
CG> say you have a token or smartcard), then you may not be able to install
CG> the s/w to use it (e.g., my Litronics card needs a reader and software
CG> which I cannot rely on finding on someone else's computer;  and now that
CG> my portable is fried, it's useless).  For those reasons alone, it's
CG> helpful for IMP to be able to do everything on the server side.
CG> Fortunately, if building a message completely in IMP is onerous, openssl
CG> can be used to create the full message, given the correct parameters.

That's a good point, it's obvious, and it's the best solution if you have
only a browser on other computer.

CG> Nevertheless, it's also valuable to require two-factor authentication with
CG> a token or card.  How are you doing this?  I'm not saying that one product
CG> should be all things for all users, but it certainly could be possible to
CG> run two versions of IMP (okay, one version configured two ways) - one for
CG> roamers and one for users with tokens (e.g., a corporate site may require
CG> tokens, while a university might not).

Well, i think something like a combo box for example:

IMP Stored: John Doe
IMP Stored: (PGP) David Doe
Local certificate: John Doe
Local Smart Card: John Doe

At the message composition window would be a really nice feature
combining the two methods, without 2 separate IMP configurations.

AG>> This seems to be the only solution, but we've managed to actually sign
AG>> the message within the web browser and put the signed message back into
AG>> the HTML form for further operations (sending etc.). You can select
AG>> with which key you want to sign the message from the combo box.

CG> Nice.  Is this a CGI app?  PHP?  Something local, installed on your
CG> computers?  Java?

As for IE, it's client-side VB Script which calls the native
capicom.dll, which is installed by default so no additionall software
is needed, then the rest goes to PHP. We have a demo but it's in
Polish :)

CG> I don't know - it seems to me that it's easier to manage private hierarchy
CG> signing keys if they're centrally maintained (yes, it's not difficult to
CG> provide them for your users, just tedious).  Put them in one place and
CG> they're immediately useful for IMP users, without having to download and
CG> trust them.

You have to really, really trust the server on which your private key
is stored, personally i wouldn't feel comfortable knowing that my
private key is stored somewhere, but that's only my opinion.

But on the other hand, you have no other choice when you're using some
other computer, which wasn't _that_ obvious to me when posting my
message here :)

CG> We've used crypto.signText() successfully for signing data in Communicator
CG> (4.75+);  it generates a pkcs7 blob which could then be either attached to
CG> a message or processed by openssl on the server.  The same goes for
CG> XSigner (part of Xetex' XSigner ActiveX control) for IE (we require 5.0+).

Nice to know that it's working in NC :)

-- 
Regards,
Arkadiusz Goralski: agoralski@certum.pl