Re: Get certificate from LDAP for S/MIME encryption (patch)

["Arne Jørgensen" <arne@arnested.dk>]

Simon Josefsson <jas@extundo.com> writes:

> Arne Jørgensen <arne@arnested.dk> writes:
>
>> Simon Josefsson <jas@extundo.com> writes:
>>
>> Hi Simon,
>>
>> I'm sending this to you as e-mail because I have tried to post it to
>> gmane.emacs.gnus.general three times now without success. Feel free to
>> forward it to the list.
>
> I've cc'ed the mailing list.

And not arrived yet either. Maybe the mailing list is out of order.

>> In stead I have implemented a `smime-ldap-search' that will just call
>> `ldap-search' when running in Emacs 22 an above, and use a slightly
>> rewritten version of the same function in Emacs 21. See attached file
>> and new patch to use it.
>
> Applied.  I modified some things, please verify it still work.

All looks fine and still works.

The funny (load-library "net/ldap") was because the eudc package on my
debian had an incompatible ldap.elc installed, but that might be a
debian bug.

>> Other thoughts are:
>>
>>  - gnus should try to find the certificate without asking the user.
>>    Probably a list of preferred methods ('dns 'ldap 'file 'ask).
>
> Yup.
>
> Btw, I changed the default from dns to ldap.

Nice :-)

> Is auto-querying from LDAP sources reliable?  Is there any suitable
> default-value for `smime-ldap-host-list'?  It should be very safe to
> auto-query DNS.

Well the default value, nil, should be fine. Then no certificate is
returned. And if the certificate is not found on the servers it ask
nil is returned too. It should be pretty safe...

>>  - better access to locally cached certificates (this was mentioned in
>>    the recent thread on gnu.emacs.gnus also). We could just store the
>>    certificates in a dir with the email adress as file name.
>
> Yes.
>
> I wish there was a standard for Unix S/MIME MUAs for this, so Gnus
> wouldn't have to invent its own ideas.

Agreed. But I don't think we'll waste much work on just mapping
addresses to file names.

> IMHO, there is another major important item:
>
> - Replace use of OpenSSL with gpgsm.
>
> I will try to work on that.  I started some time ago, but never got
> gpgsm to sign messages properly.  If we fix this last OpenSSL use in
> Gnus, there wouldn't be no need for Gnus users to ever have to install
> OpenSSL, which I consider to be a big win.

I knew ;-)

Unfortunately there is no gpgsm in debian/unstable but replacing
openssl would be really good!

Didn't you work on integrating the gnutls libraries in emacs a long
time ago? Could gnutls do s/mime stuff too?

Another thing I was thinking of was verifying usercertificates
received through dns/ldap/filecache before using them. If we
auto-query them, we shouldn't stop at the first found certificate in
the search path but the first that verifies.

And then I just found a bug when you want to read a mail with an
encrypted attachment.

Kind regards,
-- 
Arne Jørgensen <http://arnested.dk/>