[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    AW: S/MIME and PGP
From:       Jörg_Beermann <beermann () secude ! com>
Date:       2001-08-22 13:02:14
[Download RAW message or body]




>> The main differnence between the PGP securd MIME (rfc2015, rfc3156) is
that
>> S/MIME uses the CMS mentioned above. And this is a big differnence ;)
>> cause S/MIME takes use of the x.509 Public Key Infrastructure
>> (rfc2459) PKIX, by the way wich is used by SSL/TSL as well,
>> and these hierarchical structure is real differnet from PGP and the web
of
>> trust.
>> x.509 Certificates (we talk of version 3) are DER encoded ASN.1
structures,
>> which encapsulates a lot of additional information apart from the Public
>
>   PEM :)  DER wouldn't work too well in a text-based message.

	;) for handling a certificate in a text-based from you are right, 
	but from the PKIX point of view there is no need to do so.
	Normaly a cerificate is embeded in other strucutres, like PKCS#7 and
these 
	structures are base64 encoded ;) 
	....but I don´t want to be a wiseacre :))

>
>> For this reason the framework to handle x.509v3 Certificates is totaly
>> diffrent
>> from the framwork to handle with  PGP keys.
>
>I actually have some of this done in KSSL already, and I'll be adding the 
>PKCS#7 bits over the next two months.  We're using KConfig to store the
keys, 
>which is very simple.  We need to have an encrypted KConfig framework to
make 
>this secure, too.  We'll do that over the next few months as well.

	As a suggestion: for storing the Private Key it might be a
possibility to store it
	in a PKCS#12 bag, at least I did it these way.
	In this case also you don´t need to convert the Private Key from/to 
	other Formats to make it accessible.
	You have a minimum standard of security for protecting the Private
Key.
	And for the foreign certs there is no need to protect them.
	

>   I don't have any code in place to handle x509v3 extensions yet, btw, but
I 
>will be needing them for SSL and TLS in 3.0 too.

	OpenSSL is also able to handle a few extensions, like standard v3
and some 
	Netscape extensions.
	
>
>-- 
>
>George Staikos
>
_______________________________________________
Kmail Developers mailing list
Kmail@mail.kde.org
http://mail.kde.org/mailman/listinfo/kmail

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic