TB 52.0: StartCom Certificates distrusted

Discussion of general topics about Mozilla Thunderbird
Post Reply
rillke
Posts: 2
Joined: April 10th, 2017, 4:46 am

TB 52.0: StartCom Certificates distrusted

Post by rillke »

Hi,

I am an S/MIME user with a bunch of StartCom signed certificates. After updating to TB 52.0 [2] I can no longer send E-Mail using StartCom signed certificates. Obviously Mozilla's change [0][1] announced for FF 51 arrived in TB 52. Any other StartCom users around who already have plans how to migrate?

---
[0] https://blog.mozilla.org/security/2016/ ... tificates/
[1] https://docs.google.com/document/d/1C6B ... rR8vQ/edit#
[2] Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.0
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: TB 52.0: StartCom Certificates distrusted

Post by tanstaafl »

If your only issue is sending encrypted/signed messages why not just get a new S/MIME certificate from somebody else? You can still use your existing email address and account. http://kb.mozillazine.org/Message_security talks about being able to read encrypted messages using an expired certificate, so I assume the same thing occurs with a distrusted certificate.
rillke
Posts: 2
Joined: April 10th, 2017, 4:46 am

Re: TB 52.0: StartCom Certificates distrusted

Post by rillke »

Sure, as long as you possess a copy of the private key, you can decrypt messages encrypted with the related public key/certificate in theory, and with TB also in practise, even with the new certificates in place.

However certificate exchange is quite some work:
  • Find a new CA
    • that is trusted by most common clients
    • is free
    • doesn't not have your private key (yeah, some CAs believe it's a good idea to generate the private key for you)
    • issues certificates that are valid for a reasonable time
    • isn't likely to loose trust by most clients tomorrow
    which left only one I found (Com***) that issues certs valid for one year and let your browser generate them.
  • Request the certificates.
  • Collect the certificates.
  • Distribute the certificates and private key across devices and clients.
  • Re-configure all clients to use the new certificates.
I wish there would be a Let's Encrypt for E-Mails...
Post Reply