Today I had to renew my certificates for signing and encrypting email
using S/MIME. This reminded me of a question I had regarding this
feature in SeaMonkey.

My default setting is to digitally sign all my outgoing email so that
the addressee can be ensured it came from me and was not tampered with
in transit. SeaMonkey keeps copies of my sent email complete with the
digital signatures.

If I display one of my sent email messages from yesterday the digital
signature on it is now reported as invalid. If I had displayed it
yesterday it would have been reported as valid.

From my point of view it would make sense to report the signature as
"valid but expired" if the certificate was current at the time the email
was sent, which can be determined from the timestamp of the message.

I seem to recall a similar problem with encrypted email messages, that
SeaMonkey will not decrypt an encrypted message if the certificate is
expired even if it was current at that timestamp of the message.

Is this something that can be addressed here? Is it something that
should be reported as a problem in Thunderbird, which I assume will
behave in the same manner?

Thank you for a great product.

Dave

On 8/9/2023 3:41 PM, David H Durgee wrote:
> Today I had to renew my certificates for signing and encrypting email
> using S/MIME. This reminded me of a question I had regarding this
> feature in SeaMonkey.
>
> My default setting is to digitally sign all my outgoing email so that
> the addressee can be ensured it came from me and was not tampered with
> in transit. SeaMonkey keeps copies of my sent email complete with the
> digital signatures.
>
> If I display one of my sent email messages from yesterday the digital
> signature on it is now reported as invalid. If I had displayed it
> yesterday it would have been reported as valid.
>
> From my point of view it would make sense to report the signature as
> "valid but expired" if the certificate was current at the time the email
> was sent, which can be determined from the timestamp of the message.
>
> I seem to recall a similar problem with encrypted email messages, that
> SeaMonkey will not decrypt an encrypted message if the certificate is
> expired even if it was current at that timestamp of the message.
>
> Is this something that can be addressed here? Is it something that
> should be reported as a problem in Thunderbird, which I assume will
> behave in the same manner?
>
> Thank you for a great product.
>
> Dave
>

By renewing it, did you merely get a new expiration date on an existing
certificate? Or did you get a new certificate? If the latter, it is
important that you retain the expired certificate so that it can be used
on old messages. At least, this is how OpenPGP uses certificates for
signing files.

--
David E. Ross
<http://www.rossde.com/>

For 30 years, I was a software test engineer, testing the
software used by the U.S. military to operate its space
satellites. I had a very high security clearance. If I
were convicted of what Donald Trump has been accused regarding
his keeping classified documents in his home, I would have
been sentenced to decades in prison. Thus, I indeed support
the concept of equal treatment under the law.

David E. Ross wrote:
> On 8/9/2023 3:41 PM, David H Durgee wrote:
>> Today I had to renew my certificates for signing and encrypting email
>> using S/MIME. This reminded me of a question I had regarding this
>> feature in SeaMonkey.
>>
>> My default setting is to digitally sign all my outgoing email so that
>> the addressee can be ensured it came from me and was not tampered with
>> in transit. SeaMonkey keeps copies of my sent email complete with the
>> digital signatures.
>>
>> If I display one of my sent email messages from yesterday the digital
>> signature on it is now reported as invalid. If I had displayed it
>> yesterday it would have been reported as valid.
>>
>> From my point of view it would make sense to report the signature as
>> "valid but expired" if the certificate was current at the time the email
>> was sent, which can be determined from the timestamp of the message.
>>
>> I seem to recall a similar problem with encrypted email messages, that
>> SeaMonkey will not decrypt an encrypted message if the certificate is
>> expired even if it was current at that timestamp of the message.
>>
>> Is this something that can be addressed here? Is it something that
>> should be reported as a problem in Thunderbird, which I assume will
>> behave in the same manner?
>>
>> Thank you for a great product.
>>
>> Dave
>>
>
> By renewing it, did you merely get a new expiration date on an existing
> certificate? Or did you get a new certificate? If the latter, it is
> important that you retain the expired certificate so that it can be used
> on old messages. At least, this is how OpenPGP uses certificates for
> signing files.
>

Yes, I get new certificates and keep the old ones. As I noted above,
this flags digitally signed old messages as having an invalid signature.
I should note, however, that it appears that decryption of encrypted
messages is still done. So it seems that S/MIME and OpenPGP work in a
similar way.

Dave