S/MIME thoughts

[flaviozluca]

Guys,

I was testing S/MIME to make a FAQ, having obtained a free cert at the only place that still offers free S/MIME (Italian Actalis).

1. One thing I noticed in the past already. Every time I want to sign an email message, in each new GO login, I have to type in the S/MIME certificates pwd.

I understand I can mark the checkbox to "always sign digitally" but if that's not desired, seems a bit too much work to have to manually type in the pwd over and over again each time I login again to webmail.

I understand this could be security related, but I don't think other clients work this way. Thunderbird doesn't. It asks for the pwd just once, when you import the S/MIME cert.

2. In GO's manual, here: https://groupoffice.readthedocs.io/en/latest/using/email.html?highlight=mime#s-mime

"When you receive a signed message, you can verify the signature. When the signature is valid. Group-Office will automatically save the public certificate which can be used to send encrypted messages."

Do I need to just verify it (clicking on it, I guess?), really or add the sender, who sent me a message signed digitally, to my contacts?

Thanks.

[michalcharvat]

1. There is security reason. Basically everyone who has access to your mailbox can send email from it. I use smime in email communication on daily basis and I dont see any problem fill password when you want to send message. The only problem is about midnight if you running GO in debug mode but thats all. You dont need to fill password again and again with new message but why you shouldnt fill password after login? Your mailbox could be shared so when you fill certificate password, everyone can trust the message is directly from you. Without that I don't see any reason use smime, because everyone with access to your account can send mail on your behalf.
2. I guess until there will be implemented message caching, it will be pretty slow verify every message on the load. However this is planned to new mail module. @mschering could tell you more about this I guess.

[flaviozluca]

Dear Michal,

Thanks a lot for your reply.

1. Not sure I understood everything. What Im saying is, I send a message signed digitally. Fine, GO seems to remember my pwd and not ask for it anymore.

However, if I logout from webmail and back in, it asks for the cert pwd again.

So, unless one uses that option to stay logged in, every day, the first message they sign digitally, they have to put the S/MIME cert pwd, when sending that first digitally signed email.

That's what, imho, is a bit strange. I don't think other webmails do that. Thunderbird doesnt. It never asks for my cert pwd again and again. Of course, I understand it's different, as it's an app installed on my PC.

I can test Gmail if you want, I doubt it asks for the pwd again, if I logout, logon again and try to send a digitally signed message once more.

2. Not sure I was clear on this one, sorry. It's more a question, as the documentation isn't extremely clear.

For me to be able to encrypt emails, documentation says:

"When you receive a signed message, you can verify the signature. When the signature is valid. Group-Office will automatically save the public certificate which can be used to send encrypted messages."

*** So, it seems to imply that just by viewing the certificate (how ,clicking on the attachment?) it will get person's public certificate part.

Is that it?

I remember having to add the person as a contact, no?

Thanks.

[michalcharvat]

Hi Flavio,

1. I understand your problem. Currently your password is stored to session until you logout from GO. Maybe the good question is why do you need logout and then login back to GO? Can't you simply use single GO account with access to multiple mailboxes? From my point of view GO is stricly secured - simply never trust the user who just login to your account - it could be basically admin or any other person with admin permissions and why they should send messages on your behalf? SMIME is here to verify your identity. Your password is not stored anywhere except session which is deleted after logout. Perhaps it could be possible modify smime module to store password to GO but with this option you will loose security. Other option was remove password from certificate which is not supported anymore.

2. Not sure if you are talking about signing or encryption - you are mixing two different things. Signature is verified by clicking on
   
   but the encrypted message has attachment:
   

Public certificates could be also managed via Public SMIME certificates dialog

[flaviozluca]

Dear Michal,

Thanks a lot for your reply.

1. I could perfectly always stay logged in to GO. I do have multiple accounts in it. I only usually sign out because I have to test other customer's accounts, etc.

My worry is not really myself. I barely sign digitally. I did it more to make a faq for my customers and give them that possibility. My goal was more to help, perhaps, improve GO.

If it's by design, no worries. I just think, Id have to check, that most webmails don't do it this way, requiring you to retype the pwd of the certificate if you log out. I always like to do the benchmarking, compare with other webmails. Does Office 365 do this, Gmail, Zimbra, etc.? To help decide.

In any way, no worries, if you guys think it's best this way, no problem. Maybe document this a bit clearer. You will be asked for the certificate pwd again, if you log out and on to your account.

2. I understand the difference, what Im saying is that this part ""When you receive a signed message, you can verify the signature. " isn't so clear exactly how to go about this.

I'd, perhaps, change it to "When you receive a signed message, you can verify the signature., by clicking on a link that appears in the email header".

Nothing really needed, just would be even clearer.

So the answer is, that's it, no need to add person to contacts, just click on the link.

Thanks!