Hi,
I am an S/MIME user with a bunch of StartCom signed certificates. After updating to TB 52.0 [2] I can no longer send E-Mail using StartCom signed certificates. Obviously Mozilla's change [0][1] announced for FF 51 arrived in TB 52. Any other StartCom users around who already have plans how to migrate?
---
[0] https://blog.mozilla.org/security/2016/ ... tificates/
[1] https://docs.google.com/document/d/1C6B ... rR8vQ/edit#
[2] Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.0
TB 52.0: StartCom Certificates distrusted
- tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: TB 52.0: StartCom Certificates distrusted
If your only issue is sending encrypted/signed messages why not just get a new S/MIME certificate from somebody else? You can still use your existing email address and account. http://kb.mozillazine.org/Message_security talks about being able to read encrypted messages using an expired certificate, so I assume the same thing occurs with a distrusted certificate.
-
- Posts: 2
- Joined: April 10th, 2017, 4:46 am
Re: TB 52.0: StartCom Certificates distrusted
Sure, as long as you possess a copy of the private key, you can decrypt messages encrypted with the related public key/certificate in theory, and with TB also in practise, even with the new certificates in place.
However certificate exchange is quite some work:
However certificate exchange is quite some work:
- Find a new CA
- that is trusted by most common clients
- is free
- doesn't not have your private key (yeah, some CAs believe it's a good idea to generate the private key for you)
- issues certificates that are valid for a reasonable time
- isn't likely to loose trust by most clients tomorrow
- Request the certificates.
- Collect the certificates.
- Distribute the certificates and private key across devices and clients.
- Re-configure all clients to use the new certificates.