Signing Mail, 2022 Edition
About three years ago, I said:
I have been signing outgoing electronic mail, on and off, for many years.
It’s getting harder.
The S/MIME certificate I bought back then is about to expire, so I needed to renew.
The trend, let’s say, continues.
This year, the biggest issue is that the
<keygen> key generation mechanism used by certification
authorities is almost extinct: most browsers no longer implement it.
A short summary of the situation from Sectigo’s support page is:
S/MIME certificates can be applied only using Internet Explorer on Windows.
Internet Explorer is itself officially dead as of literally this past Tuesday, so it’s not clear that this is a sustainable position. Fortunately, it hasn’t been removed from my Windows 10 virtual machine yet so I was eventually — after two hours of infuriating trial and error — able to get a new certificate.
I’m not sure what will happen in two years when I need to renew again; I’m not confident that it will be possible to get a personal certificate at all at that point unless you’re working at the corporate level.
In my 2019 iteration of this post, I noted that there was an Internet-Draft describing an ACME mechanism for provisioning S/MIME certificates. Some people hoped that Let’s Encrypt (which has revolutionised the provision of TLS certificates) would provide the same kind of service on the S/MIME side. However, they’re not really set up or funded to address this problem and expressed no interest in doing so.
Things have moved on somewhat in that the Internet-Draft has become RFC 8823. There has even been some discussion at the CA/Browser Forum about incorporating this mechanism into their standards. However, I still see no sign of anyone preparing to step up and provide such a service to the public.
Watch this space, I guess, for at least another couple of years.