Re: S/MIME suggestions

[Bruce Stephens <bruce+gnus@cenderis.demon.co.uk>]

Simon Josefsson <jas@extundo.com> writes:

> Bruce Stephens <bruce+gnus@cenderis.demon.co.uk> writes:

[...]

> > Openssl allows this using the -noverify flag.  So (in a pleasantly
> > contradictory fashion), "openssl smime -verify -noverify ..." makes
> > perfect sense.
> 
> Yes.  What would good defaults be?  First try to verify
> message+certificate, with fall back to simply verify the message?
> In the second case, it could say something along the lines of
> 
> [[S/MIME Signed: OK (Untrusted CA))]]
> 
> What do you think?

Yes, probably.  The way Outlook Express does it (by default) is a bit
OTT, but it expresses the various possibilities.  When you open a
signed and/or encrypted message, you get a screen with a number of
items on it, with ticks or crosses by them.  I forget exactly the
list, but it'll include things like "signature verifies", "certificate
trusted", "certificate issuer trusted", "certificate subject matches
from address", and so on.  (Things for expiry, too, I guess.)

Then you need to click again to get to the message (which is what
sucks---Netscrape does this much less intrusively, and much more
appropriately, IMHO---also, when it's an encrypted message that you
can't decrypt, it won't even show you the (unencrypted) headers, which
is really dumb).

However, there seem to be a number of possibilities.  I think I'd like
to be able to trust a CA, but still be warned if something signed by a
certificate issued by it (i.e., I'd have a list of generally trusted
CAs, but mostly I'd explicitly trust individual certificates).

Anyway, this is making real progress---S/MIME support seems to be
approaching PGP's in usability.

> > Also, "openssl smime -verify ... -signer <file>" extracts the
> > certificate (presuming there is one).  That strikes me as a very
> > convenient feature to use.  Especially considering that "openssl x509
> > -email -noout -in <cert>.pem" prints out a list of email addresses for
> > the given certificate, which would presumably allow Gnus to check that
> > the email addresses match with the From header.
> 
> I've added support for this now.
> 
> This message should be an example of this, if you got the verisign
> cert in your CA path, it should say "Sender forged" (you might need to
> do `W s' if you disabled auto-verification).  If you click on the
> button it should display the certificate found in this message so you
> can spot why it happened.

OK, I'll try reading it when I've updated my Gnus.