[linux-security] Re: SUMMARY: IMAP security across the net

["Daniel Zen" <daniel zendigital com>]

OK, let me first say that I got sslwrap to work. I am getting a warning in
Microsoft clients that says my certificate is not for my machine, but it
still works. I created my cert myself and did not purchase it from Verisign
on Thawte. Did I set it up wrong? Anyway it still works. Netscape begins
intelligently by warning my that the certificate cannot be authenticated,
and asks me if I want to accept it for this session only, or future sessions
(a nice feature.) Unfortunately it doesn't work at all in Netscape. Wierd.

Let me explain something about my interest in encrypting my mail on the
server. It is to protect my archived mail, not to protect my incoming mail.
So that if somebody comprimised root, they couldn't read my history. And, I
would hope I would notice a break-in. The only time I was broken into I
noticed it in less than 12 hours. Admittedly I was lucky, it was the IMAP
security hole from RH 5.x that let them in. But I am sure I would have
noticed eventually. Even if I didn't at least they would only get my new
messages.

I agree that storing my private key on the server isn't the best idea, but
assuming it is well encrypted it would work. What if I encrypted all
incoming mail with my own public X.509 certificate? I like that idea. My
private key would stay with me. I haven't used this system much, but I take
it that it is supported in the standard clients, and I could keep it
encrypted on a floppy or CD.

I get e-mail from friends that aren't as savvy as me, and who either don't
want to, or shouldn't deal with encrypting e-mail they send to me. So
getting _everybody_ that sends me e-mail to encrypt their messages is not an
option. A select few could easily be convinced.

Thanks for the many replies.

Daniel Zen