[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (Practical) S/MIME certificate chain handling
On Mon, Jun 30, 2003 at 03:40:01PM -0700, Blake Ramsdell wrote:
> > -----Original Message-----
> > From: owner-ietf-smime@xxxxxxxxxxxx
> > [mailto:owner-ietf-smime@xxxxxxxxxxxx] On Behalf Of Julien Stern
> > Sent: Monday, June 30, 2003 3:35 AM
> > To: Blake Ramsdell; jimsch@xxxxxxxxxx; ietf-smime@xxxxxxx
> > Subject: Re: (Practical) S/MIME certificate chain handling
> > > I believe that most clients transmit the certificate chain (not
> > > including the root) today.
> > To the best of my knowledge, Outlook does not, and it has
> > quite a large
> > market share ... (Although, I'd be happy to know how to make
> > it do so if
> > there is a way ;) ).
> Outlook 2002 sends all the certificates in the chain (I just verified
> this). When Jim Schaad wrote the code way back in something like
> Outlook 97, I'm fairly certain that it sent all the certificates also.
> This could very well be a case of misconfiguration of some sort, and I'd
> be happy to work through it with you offline. The early S/MIME
> implementations all understood the utility of this, and included the
> certificates for exactly the reasons that you cite.
We did a bit of research, and it seems that, for Outlook, if
intermediate certificates are stored in the local machine stores, they
are indeed sent. However, if these certificates are stored in the user
stores (the ones in the user profile) they are not sent, despite the
fact the chain is correctly reconstructed. This behavior is different
from the one in Outlook Express.
> [many things regarding automatic verification snipped]
Regarding the rest of this thread, thanks to all for your enlightening
replies. I guess I'll take the pragmatic approach and attempt to focus
on the settings that actually work ;) And hopefully, at some point, I
will have the insurance that, given the extensions in my chain of cert,
and the available servers, _any_ S/MIME compliant receiver will indeed
be able to verify everything automatically, including revocation...