“A nearly impenetrable thicket of geekitude…”

Signing Mail, 2022 Edition

Posted on June 16, 2022 at 18:10

About three years ago, I said:

I have been signing outgoing electronic mail, on and off, for many years.

It’s getting harder.

The S/MIME certificate I bought back then is about to expire, so I needed to renew.

The trend, let’s say, continues.

This year, the biggest issue is that the <keygen> key generation mechanism used by certification authorities is almost extinct: most browsers no longer implement it. A short summary of the situation from Sectigo’s support page is:

S/MIME certificates can be applied only using Internet Explorer on Windows.

Internet Explorer is itself officially dead as of literally this past Tuesday, so it’s not clear that this is a sustainable position. Fortunately, it hasn’t been removed from my Windows 10 virtual machine yet so I was eventually — after two hours of infuriating trial and error — able to get a new certificate.

I’m not sure what will happen in two years when I need to renew again; I’m not confident that it will be possible to get a personal certificate at all at that point unless you’re working at the corporate level.

In my 2019 iteration of this post, I noted that there was an Internet-Draft describing an ACME mechanism for provisioning S/MIME certificates. Some people hoped that Let’s Encrypt (which has revolutionised the provision of TLS certificates) would provide the same kind of service on the S/MIME side. However, they’re not really set up or funded to address this problem and expressed no interest in doing so.

Things have moved on somewhat in that the Internet-Draft has become RFC 8823. There has even been some discussion at the CA/Browser Forum about incorporating this mechanism into their standards. However, I still see no sign of anyone preparing to step up and provide such a service to the public.

Watch this space, I guess, for at least another couple of years.