[imp] unable to access older encrypted emails because only one key is stored at a time
Greg Shah
ges at goldencode.com
Wed Oct 27 19:05:22 UTC 2010
I am using IMP 4.3.6 and Horde 3.3.6 with Apache 2.2.14 on Ubuntu
Server 10.04 (64-bit). As far as I know, everything is working as
designed, including S/MIME support.
I am shifting users from a Mozilla Thunderbird IMAP installation to
one using IMP. I have found one behavior that I think is probably
expected, and if so I would like to understand the implications. If
it is not expected, then I would like to resolve my configuration
problem (or bug) as is possible.
We use S/MIME for many emails each day. We have used this for years,
which means we have tens of thousands of encrypted emails stored for
each user. Annually, each email user gets a new digital certificate
from Verisign. At that time, the new public key is sent to the other
users and encrypted communications continues to be possible. In IMP,
it seems that only the most recent public key can be stored at one
time. As far as I can tell, older (expired) keys cannot be/are not
stored.
This means that emails written with any of the expired keys can never
be read again, even though they are not in themselves invalid in any
way. They just cannot be decrypted any longer because the proper keys
no longer exist in IMP.
On ThunderBird, the certificate/key store retains all of the older
expired keys (your own private key/cert as well as the public keys of
others). This capability then enables it to continue to decrypt email
long after the keys themselves are expired. This is extremely useful
and in fact, a bit of a show-stopper for me since we can't afford to
lose all archived email each time a key changes.
I have looked through the mailing list archives, the IMP
documentation, the Horde/IMP FAQ, google searches... and have also
tried to experiment to see if I could get multiple keys stored. As
far as I can tell it is not something that can be done and this is not
a bug, but just an implementation choice. Is that correct?
If so, is there anything planned in this area in the future (what is
the possibility of adding this feature)?
If not, I would appreciate any guidance on how I went wrong.
Best Regards,
Greg Shah
More information about the imp
mailing list