Re: [Fed-Talk] s/mime and certification???
Re: [Fed-Talk] s/mime and certification???
- Subject: Re: [Fed-Talk] s/mime and certification???
- From: Joshua Krage <email@hidden>
- Date: Fri, 30 May 2008 09:44:15 -0400
- Thread-topic: [Fed-Talk] s/mime and certification???
Each mailer's cryptographic module needs to be certified/validated. For
some, the module is provided by the OS, which means the OS's module needs to
be certified/validated.
FIPS140-2 requires the specific code used in a cryptographic module to be
validated, not the formatting standard. The code's implementation of the
crypto algorithm(s) is a major focus area for the validation process.
S/MIME and the PKCS#X containers are formatting standards, not a codebase or
implementation.
Apple has abstracted their crypto functions into a dedicated codebase for
which we're all anxiously awaiting the results from the FIPS validation
process. When complete, this should cover Apple Mail.
Microsoft's Entourage is probably using the Apple functions.
Mozilla (anything) is not known to be validated. They have their own
codebase based off of the old Netscape code (validated, no longer
available).
On 5/29/08 7:14 PM, "Allan Marcus" <email@hidden> wrote:
>
> From what I know, Apple Mail, Entourage, and Thunderbird uses s/mime
> for encryption. Even if we use Entrust for our certs, s/mime is how
> these mailers send encrypted mail.
>
> Anyone know if s/mime is FIPS 140 certified? Does s/mime need to be
> certified, or do each of these mailers need to be certified?
>
> Also, from wikipedia:
> "When a message is encrypted using S/MIME (or PKCS#7), the public key
> of each intended recipient is extracted from their certificates and
> those certificates are identified in the message by issuer and serial
> number. One of the consequences of this is that if a certificate is
> renewed (i.e. new certificate, same keypair) and the old certificate
> is deleted thinking it won't be needed any more, S/MIME clients will
> no longer be able to locate the decryption key to decrypt messages
> sent before the renewal, even though the key hasn't changed. In other
> words, deletion of expired certificates can have surprising
> consequences."
>
> Anyone know if this is still true?
>
>
> ---
> Thank you,
>
> Allan Marcus
> Central Software and Development Team (CSD)
> Departmental Computing Group (CTN-1)
> Computing, Telecommunications, and Networking (CTN) Division
> Los Alamos National Laboratory
> 505-667-5666
> email@hidden
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden