Assurance

["Jones, Mark B" <>]

As you say, I have heard that if you read your Google mail with a client such 
as Thunderbird signing works.

But I don't think you have to go as far as end-to-end encryption.  Properly 
displaying a signed email has nothing to do with encryption or private keys.

Also, I am able to send and receive signed and/or encrypted email with M$ OWA 
using my private key on my USB token.  So this is doable in a web client 
without giving up control of your private key.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Joe St Sauver
Sent: Monday, December 03, 2012 11:23 AM
To: 

Cc: 

Subject: Re: [Assurance] Request for Comment: IAP 4.2.4 Credential Issuance 
and Management

<>
 commented:

#This has been a point of frustration with Gmail for years... as far as I 
#know, they still don't support S/MIME. 

End-to-end encryption dramatically reduces Gmail's ability to target relevant 
ads at users, and since they live and die on their advertising revenues, 
well, there you go.

Abd from a user's POV, I also wouldn't want my email provider to have access 
to my private key, anyhow, right? 

That said, there are solutions that will let you do S/MIME with Gmail:

-- You can try Penango, see http://www.penango.com/ (caution: licensing
   required for some types of deployments, and note that when the browser
   updates, there may be a relatively brief lag while Penango gets rev'd
   for compatability with the new version)

-- Gmail also allows users to use IMAP, see
   http://support.google.com/mail/bin/answer.py?hl=en&answer=77695
   so you can also use any IMAP client that has good integrated S/MIME
   support (Thunderbird should work fine, for example)

If you're interested, feel free to check out my death march through client 
certificates (from a Security Professionals 2012 preconference seminar), 
http://pages.uoregon.edu/joe/secprof2012/sec-prof-2012-client-certs.pdf

Don't hesitate to drop me a note if you have any questions,

Regards,

Joe