Re: Thawte Digital Certificate Revocation List Issue

From: Neb Okla (n_okla_at_hotmail.com)
Date: 03/14/04 

Date: Sun, 14 Mar 2004 03:37:04 -0500

First, you should know that your signature was invalid because the "From"
address in your post was not the same as the email address in your
certificate. I'll email you the details in case you don't want that address
to be harvested by Spam-bots.

To fix this, you need to set your "Default" email account to be the
"Illinois Divorce Reform" email address. Outlook Express (OE) can only post
digitally signed emails to newsgroups from the default account. Yeah, I
know it sucks, and I've already emailed mswish@microsoft.com with a "wish"
that they'd fix it (I've got my fingers crossed for Windows XP SP2 - but I'm
not holding my breath).

To set the account as your default, just do this:

    Tools > Accounts... > Mail (Tab) > Set as Default (Button)

Unfortunately OE is the only news client I've found that supports signed
NNTP posts, so I'm stuck with it for a while. It's handy for eliminating
spoofed posts though.

Also, I notice that you tried to munge your email address to fight Spam
harvesters. Instead of munging my address, I post with a Hotmail address
(which has great Spam filtering nowadays) and barely get any Spam to this
address despite posting many times a day to a variety of NNTP groups.

...more on using S/MIME with Hotmail below.

"Illinois Divorce Reform" <info @ illinoisdivorcereform.com> wrote in
message news:uExgDbTCEHA.3064@tk2msftngp13.phx.gbl...
>
> I have more questions though:
>
> 1-I am using version 6 of internet explorer. I cannot find an option to
> disable crl's. Apparently its no longer an issue because they are on
their
> way out?

I believe you can disable them in Outlook Express 6 by going to...

Tools > Options > Security (Tab) > Advanced... (Button)

Set "Revocation Checking" to "Never".

Mine is not set this way, however, and I do not experience your revocation
list issue, though I recall seeing the message in the past.

> 2-In the meantime, how can I add these crl lists to a 'path?' as
suggested
> in thawte's writeup? and would that make the message go away? The message
> is not the same one that *Vanguard* found here at thawte. See the
original
> one..http://www.thawte.com/html/SUPPORT/email/iexplorer.html that reads as
> follows:

I assume they mean to add it to your browser path - or the folder where your
browers files reside.

They may be talking about configuring environment variables - such as paths.

Overall, I think the statement is unclear. You should probably email Thawte
support and ask them to clarify. Be sure to send them the URL of the page
that contains the ambiguity - and of course post a reply here so that future
NNTP users can find the answer to your question. :)

> 3-what about certs with Yahoo Mail or Hotmail? Millions of people use
these,
> but can you send encrypted or digitally signed messages too them? I know
> you can SEND TO these addresses digitally signed.

To be clear, you can send to any addres digitally signed. If you cleartext
sign your messages, anyone can read the signed messages - even if their
client doesn't support S/MIME. Generally, users will see the S/MIME one of
three ways:

    1) If they support S/MIME, they will see some kind of icon indicating
that the message is signed.
    2) If they support MIME, but not S/MIME, they will see an attatchment
with the .P7S extension.
    3) If they don't support MIME, they will see the MIME data inline with
their email or NNTP post.

The contents of the .P7S file look kind of like a HUGE PGP signature - which
makes sense because they are based on the same encryption technology - but
the S/MIME signature contains more information on the certificate while PGP
uses keyring servers to store additional information.

Ok, now on to your initial question about web-based email clients...

The only web-based email client I know of that supports S/MIME is Outlook
Web Access - which is available as a free add-on for Microsoft's Exchange
email and collaboration server product.

Yahoo and Hotmail (for example) do not support S/MIME, but you can use
S/MIME with them as long as you use a client that supports S/MIME to check
your Yahoo or Hotmail account.

I think Yahoo has a pay service that allows you to check email with any SMTP
client. This is great because it supports a lot of clients - but bad
because you have to pay. :)

In the case of Hotmail, both Outlook (OL) and Outlook Express (OE) allow you
to check Hotmail email accounts for free - but it uses an HTTP protocol to
do so. As a result, you can probably only check Hotmail email with OL and
OE - and not other clients like Eudora that support SMTP and other more
traditional email protocols. On the bright side, OE is a free client, you
can use it to check lots of different Hotmail accounts, and this approach
allows you to download and archive Hotmail email messages to your local
folders. Having OE check your Hotmail also prevents your Hotmail account
from expring - so I highly reccomend this approach to any Hotmail user (and
it's SUPER easy to set-up).

To send signed or encrypted email from a Hotmail account, simply issue a
certificate for the Hotmail email address once you have obtained a digital
ID, then download the cert as you would for any other OL or OE account. As
long as you send email via Hotmail using that client, you'll have the
ability to send signed and encrypted messages.

As an added note, Hotmail normally tacks on an advertisement on messages
sent with the web interface. Messages sent with OL or OE do not have this
advertisement.

Also of note, Yahoo in the past has modified the contents of user emails
"for their own good" to prevent malicious code from harming it's users.
Digitally signing an email ensures that it is not tampered with by the ISP
(as happened in this case) or anyone else.

As a general rule though, people who use Hotmail or Yahoo mail aren't highly
concerned with email security, so don't expect all of the Yahoo and Hotmail
users on your list to run out and get an S/MIME ID.

As you can tell, this all requires a pretty clever set-up that may be a
hassle to replicate on every machine you use (which is really the point of
Webmail - isn't it?). The way I solve this problem is by configuring
everything to work the way I like it on my home machine, then accessing it
via Remote Desktop Protocol (RDP). If you have Windows XP Professional, all
you need to do is turn it on (since XP Pro ships with a single Terminal
Services License). I've used a lot of other major remote desktop style
systems on a wide array of operating systems, RDP is by far the fastest,
most secure, and convenient.

I've checked and sent email on my home machine from far-away cities while on
vacation, from Macs, and from machines without the RDP client (but with
IE4.0 or above installed). It's a godsend.

> Bottom line, can I use these crl's or not??? Whats the point of even a
> trusted cert if you can't check it against a crl?

Well, by default Thawte free email certs self-destruct after a year. I've
revoked a few of mine, but I haven't verified that it worked. I did it
mostly for tidyness reasons - and so that people don't send me encrypted
email to a cert I'm not using.

> As a side note, you can add more personal info to the cert for thawte. I
> need to research it again but at a minimum you can add a name. I know
this
> because I am a notary for Thawte myself.

This is true. You can add a name to a digital ID - as well as a company of
employment (though I've not done this and it may only be available on paid
certs).

I don't see much point in adding personal info to a cert. Once a person is
notarized they've had their government issued photo ID checked against their
person several times if their name appears on the cert. Often more than the
three times mentioned before.

At that point you know who you are talking to and can ask them for their
personal info.

I've seen PGP certs with silly photos instead of the actual person, so I see
the personal info aspect as more of a novelty than a necessity.

Finally, for more info on using S/MIME to send secure email I highly
recommend this tutorial:

    http://www.marknoble.com/tutorial/smime/smime.aspx

It's helped me out a time or two.

Loading