Hello, Nelson.
On Fri, 11 Dec 2009, Nelson B Bolyard wrote:
On 2009-12-10 02:12 PST, Gregory BELLIER wrote:
I noticed the 3DES cipher is used to encrypt emails with S/MIME and I would
like to use another one.
According to the version of S/MIME standards that are implemented in Mozilla
mail clients, you can only encrypt using one of:
a) the ciphers that the correspondent has previously informed you that it
supports (which it would have done by sending you a signed email message), or
b) using the one cipher that all S/MIME implementations of that era were
REQUIRED to implement to ensure interoperability.
If you have NOT received any signed emails from the correspondent to whom you
wish to send encrypted email, then you have no choice but to use the one
required cipher. If you HAVE received a signed email from that correspondent,
then your Mozilla email client will automatically pick the strongest cipher
that is mutually supported.
You CANNOT send a message encrypted in a cipher that your email program does
not KNOW that your correspondent supports.
No, not so simple.
In common sense, choosing cipher is a human decision, not a sending agent one.
There could be strong reasons for this:
-- I am prohibited to send particular information encrypted with a weak
cipher. It's up to recipient how to decrypt it.
-- There could be local policies and law enforcements mandating the use of
particular ciphers.
-- I could know out-of-band the recipient is able to use particular cipher,
not announced in sMIMECapabilities due software deficiencies.
The scenario you describe is just *recommended* scenario for sending agent, not for a
human [RFC3851, sect. 2.7.1."Deciding Which Encryption Method To Use", -
http://tools.ietf.org/html/rfc3851#section-2.7.1]. This scenario describe what the best
sending agent can do without human intervention.
It's completely legal to encrypt the message with any cipher I want. RFC3851
admits this. Here is a 1st paragraph of sect.2.7.1:
-- <Choosing cipher> involves using information garnered from the
capabilities lists included in messages received from the recipient, as well as
out-of-band information such as private agreements, user preferences, legal
restrictions, and so on.
It could be a great enhancement if Thunderbird could allow to user-override the
automated cipher selection.
Best regards,
--
Konstantin Andreev, software engineer.
Swemel JSC
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
