From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/86211 Path: news.gmane.org!not-for-mail From: jens.lechtenboerger@fsfe.org Newsgroups: gmane.emacs.gnus.general Subject: Re: S/MIME verification, marking of encryped Date: Sat, 10 Oct 2015 09:20:13 +0200 (CEST) Message-ID: <1135889000.4424.1444461613315.JavaMail.open-xchange@ox1app> References: Reply-To: jens.lechtenboerger@fsfe.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1444461750 6247 80.91.229.3 (10 Oct 2015 07:22:30 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 10 Oct 2015 07:22:30 +0000 (UTC) To: ding Original-X-From: ding-owner+M34445@lists.math.uh.edu Sat Oct 10 09:22:12 2015 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from lists1.math.uh.edu ([129.7.128.208]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1ZkoTs-0003da-46 for ding-account@gmane.org; Sat, 10 Oct 2015 09:22:12 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by lists1.math.uh.edu with smtp (Exim 4.85) (envelope-from ) id 1ZkoSB-0002LQ-Jp; Sat, 10 Oct 2015 02:20:27 -0500 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by lists1.math.uh.edu with esmtps (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.85) (envelope-from ) id 1ZkoS8-0002L7-DP for ding@lists.math.uh.edu; Sat, 10 Oct 2015 02:20:24 -0500 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtps (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from ) id 1ZkoS6-00057L-6I for ding@lists.math.uh.edu; Sat, 10 Oct 2015 02:20:24 -0500 Original-Received: from mx2.mailbox.org ([80.241.60.215]) by quimby.gnus.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1ZkoS4-0007ex-7Z for ding@gnus.org; Sat, 10 Oct 2015 09:20:20 +0200 Original-Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id AE0334374C for ; Sat, 10 Oct 2015 09:20:14 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Original-Received: from smtp1.mailbox.org ([80.241.60.240]) by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) (amavisd-new, port 10030) with ESMTP id UtY1pTWF3zoL for ; Sat, 10 Oct 2015 09:20:13 +0200 (CEST) In-Reply-To: X-Priority: 3 Importance: Medium X-Oxguard-PGPSign: False X-Mailer: Open-Xchange Mailer v7.6.2-Rev33 X-Originating-Client: open-xchange-appsuite X-Spam-Score: -4.9 (----) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:86211 Archived-At: Hi Greg! > I'm a longtime epg user with gnupg (coming from mailcrypt and then > pgg), and generally it works well. I am now trying to get set up with > S/MIME to interact with some people who do encrypted mail that way, > and finding it harder than it seems I should. If I understand correctly, they already use S/MIME, right? So, probably this choice is not yours to make, but I recommend OpenPGP over S/MIME, as explained in a blog entry: https://blogs.fsfe.org/jens.lechtenboerger/2013/12/23/openpgp-and-smime/ > Part of my problem is the mysterious "No CA configured" error. That > seems to come from smime.el, but I've tried to configure the use of > epg and thus gpgsm, and that seems to actually work. If you get that error you can be certain that openssl code was involved, which is a bug. > Specific questions: > 0) I put in .emacs: > > (setq mml-smime-use 'epg) > > Is that sufficient and appropriate to make gnus use epg/gpgsm for > S/MIME? That should do it. Alternatively, you could put (require 'epg) into .emacs (early on, before other encryption-related code gets called). > 1) What is the thinking on the default for smime between epg/gpgsm and > openssl? My recommendation is to stay away from openssl. Use gpgsm. > It seems to me that gpgsm is set up for passphrases and also > to mark keys/CAs trusted or not in a more flexible manner, so that > seems preferred. But Simon wrote smime.el, so I don't want to jump to > conclusions. In general, gpgsm includes full-fledged certificate management, which you need to perform manually with openssl (storage, expiry, revocation). Then, depending of your version of openssl you may be advertising broken encryption algorithms (in your signatures). Also, you may want to read the BUGS section of man smime(1) and man cms(1). In the blog entry mentioned above, these points are explained with some Emacs specific additions. > 2) Are people sure that there are no control flow leaks into the > openssl code when epg is configured? I am set up for gpgsm, and > verifying messages that are from myself and signed or signed and > encrypted seems to work. Verifying a message that is encrypted but > not signed from someone else gives the "No CA configured" error. > However, while doing this, I see that gpgsm was run and openssl was > not (from atimes on the binaries). No, there is at least one open bug: mm-view-pkcs7-verify is hard-wired for openssl, while mm-view-pkcs7-decrypt respects mml-smime-use. https://debbugs.gnu.org/cgi/bugreport.cgi?bug=18393 > 3) When verifying openpgp/mime, I am notified of decryption status as > well as signatures, so that I know the message was encrypted. I don't > see any hint of this with epg/gpgsm. Any advice, other than figure it > out and send a patch? For signed plaintext messages I see the verification status. For signed and encrypted ones not. My advice is to go for OpenPGP :-) Best wishes Jens