MozillaZine

TB 52.0: StartCom Certificates distrusted

Discussion of general topics about Mozilla Thunderbird
rillke
 
Posts: 2
Joined: April 10th, 2017, 4:46 am

Post Posted April 10th, 2017, 5:06 am

Hi,

I am an S/MIME user with a bunch of StartCom signed certificates. After updating to TB 52.0 [2] I can no longer send E-Mail using StartCom signed certificates. Obviously Mozilla's change [0][1] announced for FF 51 arrived in TB 52. Any other StartCom users around who already have plans how to migrate?

---
[0] https://blog.mozilla.org/security/2016/ ... tificates/
[1] https://docs.google.com/document/d/1C6B ... R8vQ/edit#
[2] Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.0

tanstaafl
Moderator

User avatar
 
Posts: 43367
Joined: July 30th, 2003, 5:06 pm

Post Posted April 11th, 2017, 2:49 pm

If your only issue is sending encrypted/signed messages why not just get a new S/MIME certificate from somebody else? You can still use your existing email address and account. http://kb.mozillazine.org/Message_security talks about being able to read encrypted messages using an expired certificate, so I assume the same thing occurs with a distrusted certificate.

rillke
 
Posts: 2
Joined: April 10th, 2017, 4:46 am

Post Posted April 14th, 2017, 3:01 pm

Sure, as long as you possess a copy of the private key, you can decrypt messages encrypted with the related public key/certificate in theory, and with TB also in practise, even with the new certificates in place.

However certificate exchange is quite some work:
  • Find a new CA
    • that is trusted by most common clients
    • is free
    • doesn't not have your private key (yeah, some CAs believe it's a good idea to generate the private key for you)
    • issues certificates that are valid for a reasonable time
    • isn't likely to loose trust by most clients tomorrow
    which left only one I found (Com***) that issues certs valid for one year and let your browser generate them.
  • Request the certificates.
  • Collect the certificates.
  • Distribute the certificates and private key across devices and clients.
  • Re-configure all clients to use the new certificates.

I wish there would be a Let's Encrypt for E-Mails...

Return to Thunderbird General


Who is online

Users browsing this forum: No registered users and 1 guest