Damian Hesse wrote: > > Hi everybody, > > we have set up our own CA and generated for everybody > user certificates for secure communication. It really works > fine. > > The task: now we want to set up mailinglists (server side) > like "[EMAIL PROTECTED]" where some users of our company and > some from a customer should be able to write signed and > encryted emails and everybody on the list should be able to > read it. >
One point about signed and encrypted mails is that they are typically an encrypted mail whose content is the signed mail. Here's one way this might work out. User A wishes to join the mailing list. A signed email message containing the request is sent to the list servers subscribe/unsubscribe address. The listserver verifies the signature, stores the certificate contained in the message and, after appropriate checks are made is added to the list. The list server sends back an email signed using its own certificate and encrypted using user A's certificate with the confirmation, this comes from the mailing list contribution address. User A can then decrypt the confirmation message *and* will get the list servers certificate. Similar things happen when users B and C want to join. Now if user A wishes to contribute to the list a message is sent to the mailing list which is a signed message is encrypted using the mailing list certificate. The mailing list software decrypts the message and verifies the signature. It then sends versions of the message to each member of the list encrypted with each users certificate. The From: address is kept as User A. Because of the way signed and encrypted S/MIME works this will mean that the list users should be able to verify the original signature. That's one scenario, the way many S/MIME clients work will mean that this is largely automatic. There are other variations which can be done. One is to obtain the mailing list certificate via a web page and/or handle subscription requests that way. A completely different technique which isn't quite the same as an encrypted mailing list but has many of the same properties would be to run a secure news server, with access granted by presenting a certificate using SSL client authentication. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
