Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: encrypted email (gentoo-windows)
Date: Sun, 27 Mar 2011 11:12:52
Message-Id: 201103271211.27870.michaelkintzios@gmail.com
In Reply to: [gentoo-user] Re: encrypted email (gentoo-windows) by James
1 On Sunday 27 March 2011 03:03:30 James wrote:
2 > Sebastian Beßler <sebastian <at> darkmetatron.de> writes:
3 > > Mail encryption is, as far as I know, something that works on the
4 > > client-side only. The mail server doesn't see the encryption, encrypted
5 > > mails contain only text, just like every other mail.
6 >
7 > OK let's ignore the mail server portion. Your basically implying
8 > that encrypted mail handling from the server, does not matter if
9 > it's an exchange server, or *nix, like postfix....
10 >
11 > As an example.
12 > Look at the situation where a person is using only MS technology
13 > and has no access to support(input) on their client software nor the
14 > MS exchange server (big corp for example that assumes the world
15 > only uses MS software). Maybe they can make a few setting changes
16 > only in Outlook to get encryption working between a MS (Outlook)
17 > system and my Gentoo system using pgp and thunderbird?
18
19 Depending on the MSWindows OS and email client versions your MS counterpart
20 can try installing and running:
21
22 http://www.gpg4win.org/about.html
23
24 Alternatively, instead of OpenPGP you can use S/MIME certificates - either
25 self-signed or from a <aheam!> reputable Certification Authority. I prefer
26 the former where possible, although the average MSWindows user would struggle
27 on their own to even click a (single) button, let alone generate
28 public/private keys, configure a password and then negotiate with the
29 MSWindows certificate manager to accept them.
30
31 gpg4win will also act as the front for managing the MSWindows S/MIME certs,
32 although Outlook can manage these for SSL signing/encryption natively.
33
34 The SSL certificates offered by different CAs are mostly an expensive racket
35 for big corporate clients. Individual users are limited to a few available
36 CAs (like CACert, Comodo, etc) who issue free certificates for personal
37 (email) use, but only some of the browsers include them in their store of
38 trusted CAs - hence the need for manual import of Root CA keys, etc in the
39 user's browser/certificate store and of course the same with the recipients of
40 their email messages.
41
42 Before you commit to a CA check which browsers and OS already included these
43 in their trusted Root CA store.
44
45
46 > > If may answer has nothing to do with your problem, please give me more
47 > > information what you have in mind.
48 >
49 > I do not have a problem. I have assumed that encrypted mail between
50 > a given client software on a gentoo system, will not work with windows.
51 > Is this assumption incorrect?
52
53 Yes, this is an incorrect assumption. OpenPGP will not work with MSWindows
54 natively without a 3rd party application (e.g. gpg4win), because OpenPGP does
55 not satisfy the requirements of Microsoft's monopolistic business model.
56
57 However, SSL certificates will work natively with MSWindows and its Outlook
58 email client. As I said above you have a choice of obtaining such
59 certificates: self-signed or signed by trusted Root CAs (some of which are
60 free for personal use).
61
62 Also, in the era of Cloud computing you have the choice of webmail
63 applications (like Horde) which can use both PGP and S/MIME to
64 sign/encrypt/decrypt messages, thus bypassing limitations of given OS or
65 desktop based mail clients.
66
67 Finally, you have SaaS solutions for secure email, like
68 http://www.hushmail.com/ but if one does not trust Root CAs why would he trust
69 some hushmail company and its employees is beyond me.
70
71
72 > Or it's just install whatever I want (mail client on gentoo) and it will
73 > auto-magically exchange encrypted mail with outlook on a windows machine,
74 > behind a MS Exchange server, regardless of what the MS admins
75 > do on their side?
76
77 Yes, as long as you manage encryption/decryption at the dekstop. You need to
78 note though that some corporate IM policies may prohibit the use of encrypted
79 messages. These can be filtered out by the corporate mail server and stopped.
80
81
82 > I assumed that is not that easy (my default experience with MS),
83 > and things have to be coordinated, like most MS issues, to be
84 > able to exchange encrypted mail between a gentoo and MS workstation....
85 >
86 > Nothing to it, or massive issues on the MS side? Obviously,
87 > making changes on the gentoo workstation client, is easy....
88 > What I would really like is to be able to exchange encrypted mail
89 > with any MS user. That, I'm sure with entail pointing them to
90 > documents on how to set up the software on the MS (outlook) side.
91 > Links for MS help?
92
93 They do not need to look at Internet links - just ask them look up digital
94 signing or encryption in their Outlook help pages.
95
96 Configuring Outlook is the easy part. The more confusing part might be
97 obtaining an S/MIME certificate and importing the Root CA certificate if it is
98 not already included in whatever Microsoft ships with. I think that Comodo
99 Root CA is already included (and the recently hacked Root CA certificate has
100 not been recalled through last week's MSWindows update).
101
102
103 > ???
104 > A general discussion at this point, not a specific solution.
105 > My googling only reveals dated discussions along these lines
106 > or information that is not useful.
107
108 Google has many examples and step-by-step instructions for configuring Outlook
109 to use SSL Certs (S/MIME), usually by the purveyors of all these expensive
110 certificate services:
111
112 http://www.globalsign.com/support/personal-certificate/per_outlook07.html
113 --
114 Regards,
115 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
[gentoo-user] Re: encrypted email (gentoo-windows) James <wireless@×××××××××××.com>