From kmail-devel Wed Aug 22 13:02:14 2001 From: =?iso-8859-1?Q?J=F6rg_Beermann?= Date: Wed, 22 Aug 2001 13:02:14 +0000 To: kmail-devel Subject: AW: S/MIME and PGP X-MARC-Message: https://marc.info/?l=kmail-devel&m=99848520807832 >> The main differnence between the PGP securd MIME (rfc2015, rfc3156) = is that >> S/MIME uses the CMS mentioned above. And this is a big differnence = ;) >> cause S/MIME takes use of the x.509 Public Key Infrastructure >> (rfc2459) PKIX, by the way wich is used by SSL/TSL as well, >> and these hierarchical structure is real differnet from PGP and the = web of >> trust. >> x.509 Certificates (we talk of version 3) are DER encoded ASN.1 structures, >> which encapsulates a lot of additional information apart from the = Public > > PEM :) DER wouldn't work too well in a text-based message. ;) for handling a certificate in a text-based from you are right,=20 but from the PKIX point of view there is no need to do so. Normaly a cerificate is embeded in other strucutres, like PKCS#7 and these=20 structures are base64 encoded ;)=20 ....but I don=B4t want to be a wiseacre :)) > >> For this reason the framework to handle x.509v3 Certificates is = totaly >> diffrent >> from the framwork to handle with PGP keys. > >I actually have some of this done in KSSL already, and I'll be adding = the=20 >PKCS#7 bits over the next two months. We're using KConfig to store = the keys,=20 >which is very simple. We need to have an encrypted KConfig framework = to make=20 >this secure, too. We'll do that over the next few months as well. As a suggestion: for storing the Private Key it might be a possibility to store it in a PKCS#12 bag, at least I did it these way. In this case also you don=B4t need to convert the Private Key from/to=20 other Formats to make it accessible. You have a minimum standard of security for protecting the Private Key. And for the foreign certs there is no need to protect them. =09 > I don't have any code in place to handle x509v3 extensions yet, = btw, but I=20 >will be needing them for SSL and TLS in 3.0 too. OpenSSL is also able to handle a few extensions, like standard v3 and some=20 Netscape extensions. =09 > >--=20 > >George Staikos > _______________________________________________ Kmail Developers mailing list Kmail@mail.kde.org http://mail.kde.org/mailman/listinfo/kmail