If your friend is encrypting the message, whose digital certificate is he using to encrypt it with? Yours? Do you have a digital certificate with an associated Private Key in your Tbird keystore? If so, are you trying to read the encrypted e-mail from the same machine where you have your Private Key?
In order to sign an e-mail, a Sender (your friend, in this case) must have a digital certificate and an associated Private Key to sign it. You do not need a certificate of your own to read signed e-mails, since they are unencrypted. However, to verify the signed e-mail, you must have the certificate-chain of your friend's digital certificate. If your friend got his certificate from some public certificate-issuer, you probably have the chain in Tbird already, and that's why the signed e-mail can be verified. However, in order to encrypt an e-mail, the Sender MUST HAVE the *recipient's* digital certificate, and the recipient must have the associated Private Key of that digital certificate to decrypt it. If you do not have a digital certificate, I'm not sure whose digital certificate he pointed to to encrypt it. If you do have one, then you must read the e-mail on the same machine that has the Private Key to that digital certificate (assuming you're not using a smartcard or some other external cryptographic device). The encrypted e-mail from yourself to your friend works, because the first time he sent you a signed e-mail and you verified it, Tbird placed his digital certificate in your Tbird's certificate-store and consequently, you had his (the recipient) digital certificate to encrypt your message with. Hope that helps. Arshad Noor StrongAuth, Inc. Paul Kinzelman wrote:
I originally posted this issue on moz.sup.tbird and somebody suggested posting it here. The suggestion I got over there was to try https://nic-nac-project.de/~kaosmos/p7mHandler-en.html but that didn't change anything. I'm using Tbird 2.0.0.17 (20080914) When a friend uses an Apple to digitally sign a message, I can validate his signature OK (so that means I have his cert properly in Tbird, right?), but when he encrypts the message, I get a "Thunderbird cannot decrypt this message" error. He's not using PGP, he's doing it in SMIME. I can encrypt and sign a message with my cert that he can read. I'll append first the header of the encrypted message that I can't read, and then I'll append the header of the signed message that I can read (because it's not encrypted) and the signature validates OK. Any suggestions would be greatly appreciated. I'm kind of new at this encryption stuff so feel free to treat me as an idiot. :-) ------------------------------------------ Here's the header of the encrypted message body that I can't read: From - Tue Oct 21 13:36:49 2008 X-Account-Key: account4 X-UIDL: 514289371 X-Mozilla-Status: 0000 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Received: from SMTP32-FWD by kinzelman.com (SMTP32) id A087B00A70000AEC2; Tue, 21 Oct 2008 08:51:07 -0800 Received: from mx1.timesync.com [12.181.175.91] by antares.timesync.com with ESMTP (SMTPD-8.22) id A87B018C; Tue, 21 Oct 2008 08:51:07 -0800 X-policyd-weight: passed - too many local DNS-errors in dsn.rfc-ignorant.org lookups Received: from star3.baremetal.com (star3.baremetal.com [64.69.88.78]) by mx1.timesync.com (Postfix) with ESMTP id 99EAC67819 for <[EMAIL PROTECTED]>; Tue, 21 Oct 2008 09:50:31 -0700 (PDT) Received: from [192.168.15.3] (adsl-75-37-8-19.dsl.pltn13.sbcglobal.net [75.37.8.19]) by star3.baremetal.com (8.13.4/8.12.10) with ESMTP id m9LG6LEA006885 for <[EMAIL PROTECTED]>; Tue, 21 Oct 2008 09:07:17 -0700 Mime-Version: 1.0 (Apple Message framework v753.1) In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Content-Type: application/pkcs7-mime; name=smime.p7m; smime-type=enveloped-data Message-Id: <[EMAIL PROTECTED]> Content-Disposition: attachment; filename=smime.p7m Content-Transfer-Encoding: base64 From: Richard Haley <[EMAIL PROTECTED]> Subject: Re: HTML question Date: Tue, 21 Oct 2008 09:07:52 -0700 To: [EMAIL PROTECTED] X-Mailer: Apple Mail (2.753.1) X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 514289371 X-IMail-ThreadID: 087b00000854630f X-Antivirus: AVG for E-mail 8.0.173 [270.7.5/1708] MIAGCSqGSIb3DQEHA6CAMIACAQAxggMkMIIBjgIBADB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK [etc.] ------------------------------------- And here's a message that's not encrypted but is signed and I can validate his signature successfully: From - Tue Oct 21 13:37:06 2008 X-Account-Key: account4 X-UIDL: 514289377 X-Mozilla-Status: 0000 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Received: from SMTP32-FWD by kinzelman.com (SMTP32) id A0C97008E0000AF92; Tue, 21 Oct 2008 09:08:39 -0800 Received: from mx1.timesync.com [12.181.175.91] by antares.timesync.com with ESMTP (SMTPD-8.22) id AC97018C; Tue, 21 Oct 2008 09:08:39 -0800 X-policyd-weight: passed - too many local DNS-errors in dsn.rfc-ignorant.org lookups Received: from star3.baremetal.com (star3.baremetal.com [64.69.88.78]) by mx1.timesync.com (Postfix) with ESMTP id C67C26781E for <[EMAIL PROTECTED]>; Tue, 21 Oct 2008 10:08:09 -0700 (PDT) Received: from [192.168.15.3] (adsl-75-37-8-19.dsl.pltn13.sbcglobal.net [75.37.8.19]) by star3.baremetal.com (8.13.4/8.12.10) with ESMTP id m9LH7Sj8026021 for <[EMAIL PROTECTED]>; Tue, 21 Oct 2008 10:07:29 -0700 Mime-Version: 1.0 (Apple Message framework v753.1) In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-1--658940438; protocol="application/pkcs7-signature" Message-Id: <[EMAIL PROTECTED]> From: Richard Haley <[EMAIL PROTECTED]> Subject: Re: HTML question Date: Tue, 21 Oct 2008 10:07:58 -0700 To: [EMAIL PROTECTED] X-Mailer: Apple Mail (2.753.1) X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 514289377 X-IMail-ThreadID: 0c9700000854715a X-Antivirus: AVG for E-mail 8.0.173 [270.7.5/1708] --Apple-Mail-1--658940438 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed [I deleted the text of the message here.] --Apple-Mail-1--658940438 Content-Transfer-Encoding: base64 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGIzCCAtww [etc.] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
