9 May
2011
9 May
'11
10:53 a.m.
Hello
today i discovered that if a mail is signed by i expired certificate
the certificate is still fetched and added to the Djigzo store. Is
this useful in any case or wouldn't it be better to ignore expired
certificates?
Regards
Andreas
9 May
9 May
1:31 p.m.
On 05/09/2011 10:53 AM, lst_hoe02(a)kwsoft.de wrote:
today i discovered that if a mail is signed by i
expired certificate
the certificate is still fetched and added to the Djigzo store. Is
this useful in any case or wouldn't it be better to ignore expired
certificates?
Does it harm to store them? If you store a cert that expires one day
later, you also have an expired cert. If someone decides to sign their
messages with an expired cert, there may be a reason for that. I
generally don't mind expired certs. I think Djigzo shouldn't thow away
certs with which messages have been signed.
dagdag
Christine
2:23 p.m.
It might make sense to always store them but not necessarily to "use" them.
It provides sort of a "paper trail" for sensitive messages which I think I
would want for medical data, which is what we will be using Djigzo for.
However, I am opened to being talked out of that position.
On Monday, May 09, 2011, Christine Karman wrote:
On 05/09/2011 10:53 AM, lst_hoe02(a)kwsoft.de wrote:
--
Nancy Anthracite
today i discovered that if a mail is signed by i
expired certificate
the certificate is still fetched and added to the Djigzo store. Is
this useful in any case or wouldn't it be better to ignore expired
certificates?
Does it harm to store them? If you store a cert that expires one day
later, you also have an expired cert. If someone decides to sign their
messages with an expired cert, there may be a reason for that. I
generally don't mind expired certs. I think Djigzo shouldn't thow away
certs with which messages have been signed.
dagdag
Christine
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
2:33 p.m.
Zitat von Nancy Anthracite <nanthracite(a)earthlink.net>et>:
It might make sense to always store them but not
necessarily to "use" them.
It provides sort of a "paper trail" for sensitive messages which I think I
would want for medical data, which is what we will be using Djigzo for.
However, I am opened to being talked out of that position.
With this you need to store the certificates along with the mail in
question, no? So Djigzo might not be the right place where this happens.
Regards
Andreas
2:42 p.m.
Well right now the medical record software doesn't see the certificates and
might not see the email if it is set to be rejected. I am going to have to
think some more about that.
On Monday, May 09, 2011, lst_hoe02(a)kwsoft.de wrote:
Zitat von Nancy Anthracite
<nanthracite(a)earthlink.net>et>:
--
Nancy Anthracite
It might make sense to always store them but not
necessarily to "use"
them. It provides sort of a "paper trail" for sensitive messages which I
think I would want for medical data, which is what we will be using
Djigzo for. However, I am opened to being talked out of that position.
With this you need to store the certificates along with the mail in
question, no? So Djigzo might not be the right place where this happens.
Regards
Andreas
2:28 p.m.
Zitat von Christine Karman <christine(a)christine.nl>nl>:
On 05/09/2011 10:53 AM, lst_hoe02(a)kwsoft.de wrote:
Djigzo does apply PKI rules, so it obeys expiring dates. With this
expired certificates are somewhat useless. One might argue that it
doesn't hurt (much) to store it today, but i disklike systems
collecting garbage because it might be useful somehow in the future.
If someone decide to use expired certificates, all mailclients used
today will show all sorts of errors, so it is discouraged anyway.
Regards
Andreas
today i discovered that if a mail is signed by i
expired certificate
the certificate is still fetched and added to the Djigzo store. Is
this useful in any case or wouldn't it be better to ignore expired
certificates?
Does it harm to store them? If you store a cert that expires one day
later, you also have an expired cert. If someone decides to sign their
messages with an expired cert, there may be a reason for that. I
generally don't mind expired certs. I think Djigzo shouldn't thow away
certs with which messages have been signed. 
12 May
12 May
5:17 p.m.
On 01/-10/-28163 08:59 PM, lst_hoe02(a)kwsoft.de wrote:
Hello
today i discovered that if a mail is signed by i expired certificate the
certificate is still fetched and added to the Djigzo store. Is this
useful in any case or wouldn't it be better to ignore expired certificates?
For both sides (adding it and not adding it) there are valid arguments.
You are right that the certificate is no longer usable and it's
therefore better not to add it (unless you add the certificate to the
CTL manually and allow it to be expired). However, it adding it also
helps the gateway administrator to see that a message was signed with an
expired certificate. If the certificate was not added the gateway
administrator would not have seen that the message was signed with an
expired cert. Do you want it to be optional whether to add the
certificate when the certificate is expired?
Kind regards,
Martijn
6:42 p.m.
Zitat von Martijn <martijn(a)djigzo.com>om>:
On 01/-10/-28163 08:59 PM, lst_hoe02(a)kwsoft.de wrote:
No, it is not that important to add another config option. If it is
really useful for someone to store expired certificates leave it that
way. We manually delete all expired certificates anyway so they get
trashed on this occasion again.
Regards
Andreas
Hello
today i discovered that if a mail is signed by i expired certificate the
certificate is still fetched and added to the Djigzo store. Is this
useful in any case or wouldn't it be better to ignore expired certificates?
For both sides (adding it and not adding it) there are valid
arguments. You are right that the certificate is no longer usable
and it's therefore better not to add it (unless you add the
certificate to the CTL manually and allow it to be expired).
However, it adding it also helps the gateway administrator to see
that a message was signed with an expired certificate. If the
certificate was not added the gateway administrator would not have
seen that the message was signed with an expired cert. Do you want
it to be optional whether to add the certificate when the
certificate is expired?
4074
days inactive
4077
days old
7 comments
5 participants
participants (5)
-
Christine Karman -
lst_hoe02@kwsoft.de -
Lst_hoe02@kwsoft.de
-
Martijn -
Nancy Anthracite