In short, go to
http://kuix.de/smime-keyserver/
and give it a try.
Although I can't guarantee that this service will continue to run,
I will try to keep it up,
and I would like to see many people using it.
Longer explanation:
The GPG/PGP world has long known the concept of keyservers - public
places from where you can download the keys of other people.
I was not aware of comparable solutions for S/MIME certificates.
I know that it's possible to stored personal certificates in LDAP
directories, but that's usually limited to closed environments, like
corporations.
I'm not aware of anyone running a cross-corporation, public, free
accessible LDAP server that I could use for me and my buddy's to share
our certs.
Even if there were such a LDAP server, there is the problem of access
control. Should anyone be able to modify entries? How do you control that?
For a long time I didn't have a good idea, until a couple of days ago.
The answer I found isn't LDAP. Instead I wrote a bunch of simple
scripts. The idea is:
- the keyserver processes incoming signed mail
- if the incoming email is not signed, the email is ignored
- if the keyserver cannot verify the signature on the email,
the email is ignored
(as of today, the keyserver accepts the same signing roots
as Mozilla software. It also allows certs from cacert.org)
- if the signed email includes the documented magic text string
allow-smime-keyserver-inclusion
then the keyserver will conclude that the message signer
agrees to having the key included in the keyserver
- the keyserver will extract the cert from the email, and will
store both email and cert locally
- the keyserver does NOT offer listing of entries.
If a user wants to retrieve a person's cert, the full
email address must be entered.
- if a cert is found for the given email address
(meaning the owner of a cert for that address has taken
action to get himself/herself included)
then the cert is made available for download
- because downloading and importing certs might be a hassle
(save to file, go to cert manager, import cert, etc.)
the keyserver offers a simplification:
It offers to forward you a copy of the original signed email
that was sent by the certificate owner, and received by the
keyserver.
(Thanks to Robert Relyea who proposed this improvement.)
(For privacy reasons, the keyserver will strip out all
unnecessary details from the message, all mail routing headers,
timestamp, etc.)
- in order to avoid some spam, and in order to motivate people to
register themselves with the keyserver,
only email addresses that are registered in the keyserver
are allowed as recipients of such forwarded emails
- I intended to add some sort of captcha protection to the
email forwarding feature, so you can't easily harass people
registered in the directory
Happy using and thanks in advance for feedback.
Regards
Kai
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
