On Sat, Apr 04, 2015 at 07:15:54PM +0200, Bernard Massot wrote:
> David J. Weller-Fahy wrote :
> > After much frustration I discovered why mutt wouldn't work with the
> > SMIME keys issued at work: there are two of the private keys (one for
> > signature, one for encryption), and a single public key.
> What's that protocol? Until known I've only heard of sender's private key to
> sign
> and decrypt, and recipient's public key to encrypt.
Some formal key infrastructures managed by corporations, government
departments, etc. will issue you two distinct private keys, each with
its own X.509 certificate. One is only to be used for digital
signatures, and the other is only to be used for data encryption. The
certs have markers in them so that applications can tell the purpose
of each key.
One reason for doing this is that they can keep a copy of your data
key, and then decrypt your company data if you die, get fired, are
under investigation, or whatever -- while at the same time *not*
keeping a copy of your signature key.
> > Is this a supported configuration?
> Definitely. There are a lot of smime_* configuration variables.
Last I checked (admittedly this was a couple years ago) it only let
you specify a single private key to be used for both signing outgoing
mail and decrypting incoming mail. Which is not sufficient. I had to
patch in some more variables.
> > If so, does anyone have an example configuration they'd like to
> > share?
Unfortunately the changes I made are on a corporate network where I
can't share them. I don't recall it being very complicated, though.
The next time I get a chance I'll review the patches, and I might at
least be able to describe how I did it.
-Dave Dodge/dodo...@dododge.net
