German organizations like Arbeitsagentur, Insurances and companies use S/MIME “gateway certificates” with a gateway server. See below for an explanation.
I’m wondering if it’s possible to implement using S/MIME “gateway certificates” without a gateway server by using a plugin or if not which parts for a partial solution. I have tried Gpg4win and encrypting to an address that uses a “gateway certificate” was already not easy. I found these posts asking for that:
encrypting to a CMS certificate for S/MIME should be possible. The problem usually is to configure the system to accept the root certificates.
The second problem is to be able to select an encryption pubkey (aka the certificate) for an email address that is not in the certificate itself. All email client should allow this, after a safety action.
Once all is configured, S/MIME can be used even more easily than OpenPGPv4/MIME, at least for end-to-end cryptography. A gateway server is not end-to-end, obviously, the questions is why to use it in the first place.
I couldn’t find an email client that allows selecting a certificate for an email address that is not in the certificate. There seems to be a registry hack for MS Outlook. I think Gpg4win enables this however, so that’s good.
I too asked myself why some organizations use gateway server since it’s not end-to-end encryption. I think it’s because they use both in-house email and gateway servers and like that the setup work for end-users is basically nonexistent, so only admins need to work on that. It also enables buying just one certificate for all users. (I think I’ve read a post by you saying that a team certificate with a team email address could be used. It’s a great tip, but some end-users want to use their individual email addresses (even though the whole organization can access the decrypted content.))
About the other way around: Do you think a “domain certificate” could be set up (if there were software available that supported it, like a client or plugin) to work without a gateway server so that it could be used to encrypt emails to a gateway server and decrypted when sent from a gateway server? Or do gateway servers somehow require gateway-to-gateway contact in order to work properly?
If it’s feasible a client or plugin could save lots of organizations lots of work and money. When they hear about “domain certificates” they all need to research about what that means, what it is, how to use it, which companies offer gateway servers and so on. However they would still need to get a “domain certificate” and set it up themselves, so that part of the gateway-model can’t be spared I suppose.
It depends on what you define as the “end”. The gateway server is part of the organization’s infrastructure, so if you receive an S/MIME-encrypted & signed e-mail, you can be assured it really comes from the organization and the e-mail was encrypted in transit.
Given that many MUAs are not classical email clients like K-Mail or Thunderbird, but rather ticketing systems or even more complex software, operating a single gateway server that handles encryption, decryption, and signing, bundling all the complexity in one place, also makes sense architecturally.
Hi @swagner, glad you’re interested in the topic as well.
I think it’s useful to define “end” as the end-user’s mail client. It can get pretty confusing otherwise. In this context the important distinction is that no one else has access to the decrypted data. If you disagree, what advantages do you see in defining “end” differently?
Regarding the assurance of the email being encrypted in transit:
Is TLS not enough for that?
I might write a list of challenges and questions for the use of domain certificates without a gateway server. Hope anyone cares see whether someone knowledgeable replies whether it’s possible at all.
see whether someone knowledgeable replies whether it’s possible at all.