Automatic certificate selection

Hello

Our user certificates reach their first year this autumn and we
prepare for renewal of the certificates, which means we have old and
new certificates for some transit time in our Djigzo database. This
should be no problem for decrypting keys as all matching for a give
address will be tried i guess. For signing the documentation says "if
there are multiple certificates suitable for signing, the first
certificate found will be selected". Is it possible to alter this to
something like the certificate with the longest validity will be
selected? I guess this would better fit most cases.

Regards

Andreas

Hi Andreas,

> new certificates for some transit time in our Djigzo database. This
> should be no problem for decrypting keys as all matching for a give
> address will be tried i guess.

Yes that should be no problem. The gateway will search for any
available private key which can be used to decrypt the message with.

> address will be tried i guess. For signing the documentation says "if
> there are multiple certificates suitable for signing, the first
> certificate found will be selected". Is it possible to alter this to
> something like the certificate with the longest validity will be
> selected? I guess this would better fit most cases.

The way it currently works is that once a signing key has been
selected, it will be used until the signing key (to be precise, the
certificate associated with the private key) expires or, is no longer
valid, or when a new signing key is explicitly selected.

Selecting a signing key for every new email might not always be the
best choice because it won't allow you to explicitly select a different
one than the selected one. Suppose you have a certificate which you
must use for signing but have another one which should be used for
decryption, and the encryption key's validity exceeds the validity of
the signing key. In that case you want to make sure the explicitly
selected signing key will always be used (at least until it expires).

> selected? I guess this would better fit most cases.

You might be right. I can add an option so you can choose which private key select procedure you want to use.

For example the following options:

NEVER_SELECT
SELECT_FIRST_TIME
SELECT_NEWEST
SELECT_LONGEST_VALID

Is it possible to add a JIRA entry for your request?

https://jira.djigzo.com/

Kind regards,

Martijn

···

On Thu, 2010-09-16 at 16:18 +0200, lst_hoe02(a)kwsoft.de wrote:

_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
email message attachment (attached message.eml)
> -------- Forwarded Message --------
> From: lst_hoe02(a)kwsoft.de
> To: users(a)lists.djigzo.com
> Subject: Automatic certificate selection
> Date: Thu, 16 Sep 2010 16:18:21 +0200
>
> Hello
>
> Our user certificates reach their first year this autumn and we
> prepare for renewal of the certificates, which means we have old and
> new certificates for some transit time in our Djigzo database. This
> should be no problem for decrypting keys as all matching for a give
> address will be tried i guess. For signing the documentation says "if
> there are multiple certificates suitable for signing, the first
> certificate found will be selected". Is it possible to alter this to
> something like the certificate with the longest validity will be
> selected? I guess this would better fit most cases.
>
> Regards
>
> Andreas
>
>

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

Hi Andreas,

> new certificates for some transit time in our Djigzo database. This
> should be no problem for decrypting keys as all matching for a give
> address will be tried i guess.

Yes that should be no problem. The gateway will search for any
available private key which can be used to decrypt the message with.

Fine..

> address will be tried i guess. For signing the documentation says "if
> there are multiple certificates suitable for signing, the first
> certificate found will be selected". Is it possible to alter this to
> something like the certificate with the longest validity will be
> selected? I guess this would better fit most cases.

The way it currently works is that once a signing key has been
selected, it will be used until the signing key (to be precise, the
certificate associated with the private key) expires or, is no longer
valid, or when a new signing key is explicitly selected.

Selecting a signing key for every new email might not always be the
best choice because it won't allow you to explicitly select a different
one than the selected one. Suppose you have a certificate which you
must use for signing but have another one which should be used for
decryption, and the encryption key's validity exceeds the validity of
the signing key. In that case you want to make sure the explicitly
selected signing key will always be used (at least until it expires).

Splitting the signing key/cert from decryption key/cert seems odd to
me because the remote party needs your public key to encrypt and the
public key is picked up from digital signed mail in most cases, no?
For this scenario with split keys/certs i suspect that manually
selecting the signing key would be a better choice? I was not aware
that "auto selection" for signing means that it is selected once and
then used until it expires.

> selected? I guess this would better fit most cases.

You might be right. I can add an option so you can choose which
private key select procedure you want to use.

For example the following options:

NEVER_SELECT
SELECT_FIRST_TIME
SELECT_NEWEST
SELECT_LONGEST_VALID

I would not invest too much time. The new signing certs are used
automatically anyway as expected but only after the old has expired,
which means some days/weeks more spreading the old soon autodated cert
which is not too much hassle.

Instead of another option i would set go like this:

choose signing certs automatically set

--> check if more than one valid cert/key is available
  - if a longer valid one is available choose this one

manually selected cert/key use until expired
  - if expired stop signing and log a warning

Is it possible to add a JIRA entry for your request?

https://jira.djigzo.com/

Never used this before but i will try.

Regards

Andreas