Identities and certificates

User Help for Mozilla Thunderbird
Post Reply
ollimax
Posts: 1
Joined: August 30th, 2004, 11:49 pm

Identities and certificates

Post by ollimax »

Hi! I have a problem with my certificate.

I have an account that supports two identities, one for private messages (which is the default) and other for business messages, to show my business email to recipient. For the business identity, I have not got an account, because it's actually a mail forward (or an alias, if you prefer call it that way ) on an IMAP server instead a real mailbox

I requested a certificate, which is valid for both addresses. I imported it to Thunderbird, and it works fine when I use the default identity. But switching the identity (in the from -field) to my business identity, Thunderbird tells I needed to install one or more certificate.
I requested an other certficate, with my business address only, removed the old one and installed this in its place, but the situation stays same.
ronald_
Guest

multiple identities and a certificate for each

Post by ronald_ »

Hi!
Same problem to me ... I've setup two identities in one account:
email@a.com and email@b.com. There is one email certificate for email@a.com and one for email@b.com.
In the "multiple identity" dialog I am able to assign a openpgp key for each identity, but there is no option to assign smime certificates. You can only assign one certificate for all identities to the account, but not per identity.
That's not so good, if this is true ...

Please, tell me that I am wrong!

cheers,
Ronald
BerndJantzen
Posts: 3
Joined: January 11th, 2006, 1:14 am

Re: Identities and certificates

Post by BerndJantzen »

I also noticed this feature/bug.

Actually, S/MIME certificates for signing and encryption can only be chosen on a per-account basis in the "Account Settings", in the "Security" section of each account. But when using multiple identities for one account, the configuration for all other identities except the default one is done via the "Manage Identities" button of each account. There the desired identity can be chosen and its settings can be changed via "Edit". These per-identity settings though do NOT include the possibility to select S/MIME certificates. In contrast to this, when the Enigmail extension is installed, there is both an "OpenPGP Security" entry in the account settings and an equally named tab in the identity settings of multiple identities. So OpenPGP/Enigmail settings can be chosen on a per-identity basis, while S/MIME settings cannot.

ronald_ wrote: You can only assign one certificate for all identities to the account, but not per identity.
That's not so good, if this is true ...

In fact, it is not even so that the security settings (S/MIME certificates) of each account apply to all identities assigned to this account. In reality, what you enter in the "Security" section of an account is only applied to the default identity of this account. For the other identities of the same account, no S/MIME certificates are configured, you cannot use S/MIME signing/encryption with these non-default identities.

I think this is a bug and should be corrected in Thunderbird. The multiple-identities support of Thunderbird should come with per-identity security settings.

Let me give some hints of a workaround until this problem is solved in the graphical interface of Thunderbird:
You can edit the Thunderbird settings by hand, either by editing the "pref.js" file in your profile folder, or by choosing "Preferences" -> "Advanced" -> "Config Editor". There, for each identity, you find entries "mail.identity.idX.*", where "idX" is the label of the identity (id1, id2, ...). [I omit the "user_pref("...", ...);" which is wrapped around the entry label and value in "prefs.js", but not shown in the config editor.] If you want to know, which identities are assigned to your account, first look for the server the entry "mail.server.serverY.name" of which has the correct name as value, then for the account the entry "mail.account.accountZ.server" of which has the correct "serverY" assigned, and finally find the list of identity labels in the value of the entry "mail.account.accountZ.identities".

Assuming that the desired identity with label "idX" is known, the entries concerning S/MIME settings are:
* "mail.identity.idX.sign_mail" -> true (sign messages by default) or false
* "mail.identity.idX.signing_cert_name" -> the name of the S/MIME certificate for signing (you can e.g. copy it from another identity or look what certificate names Thunderbird offers for the default identity)
* "mail.identity.idX.encryption_cert_name" -> the name of the S/MIME certificate for encryption
* "mail.identity.idX.encryptionpolicy" -> default behaviour for encryption, seems to be 0 (integer, not string!) for "Never" and 2 for "Required"

I have configured this for all my multiple identities per account for which I have S/MIME certificates, and it works well. (Except that when changing the from address in the compose window from one without S/MIME settings to another with S/MIME settings, the default for signing/encryption gets not applied, you have to choose this by hand.)

Best regards, Bernd
Post Reply