From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/33514 Path: main.gmane.org!not-for-mail From: Bruce Stephens Newsgroups: gmane.emacs.gnus.general Subject: Re: S/MIME suggestions Date: 30 Nov 2000 00:34:02 +0000 Sender: owner-ding@hpc.uh.edu Message-ID: <878zq2mh6t.fsf@cenderis.demon.co.uk> References: <871yvxdkm5.fsf_-_@cenderis.demon.co.uk> NNTP-Posting-Host: coloc-standby.netfonds.no Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: main.gmane.org 1035169606 25552 80.91.224.250 (21 Oct 2002 03:06:46 GMT) X-Complaints-To: usenet@main.gmane.org NNTP-Posting-Date: Mon, 21 Oct 2002 03:06:46 +0000 (UTC) Return-Path: Original-Received: from spinoza.math.uh.edu (spinoza.math.uh.edu [129.7.128.18]) by mailhost.sclp.com (Postfix) with ESMTP id E7A54D049C for ; Wed, 29 Nov 2000 19:43:25 -0500 (EST) Original-Received: from sina.hpc.uh.edu (lists@Sina.HPC.UH.EDU [129.7.3.5]) by spinoza.math.uh.edu (8.9.1/8.9.1) with ESMTP id SAB22347; Wed, 29 Nov 2000 18:39:01 -0600 (CST) Original-Received: by sina.hpc.uh.edu (TLB v0.09a (1.20 tibbs 1996/10/09 22:03:07)); Wed, 29 Nov 2000 18:38:20 -0600 (CST) Original-Received: from mailhost.sclp.com (postfix@66-209.196.61.interliant.com [209.196.61.66] (may be forged)) by sina.hpc.uh.edu (8.9.3/8.9.3) with ESMTP id SAA23127 for ; Wed, 29 Nov 2000 18:38:10 -0600 (CST) Original-Received: from localhost (cenderis.demon.co.uk [193.237.0.193]) by mailhost.sclp.com (Postfix) with ESMTP id 649DAD049C for ; Wed, 29 Nov 2000 19:38:11 -0500 (EST) Original-Received: by localhost (Postfix, from userid 1000) id 7D49E3F289; Thu, 30 Nov 2000 00:38:02 +0000 (GMT) Original-To: ding@gnus.org In-Reply-To: User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.2 (Pan) Original-Lines: 56 Precedence: list X-Majordomo: 1.94.jlt7 Xref: main.gmane.org gmane.emacs.gnus.general:33514 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:33514 Simon Josefsson writes: > Bruce Stephens writes: [...] > > Openssl allows this using the -noverify flag. So (in a pleasantly > > contradictory fashion), "openssl smime -verify -noverify ..." makes > > perfect sense. > > Yes. What would good defaults be? First try to verify > message+certificate, with fall back to simply verify the message? > In the second case, it could say something along the lines of > > [[S/MIME Signed: OK (Untrusted CA))]] > > What do you think? Yes, probably. The way Outlook Express does it (by default) is a bit OTT, but it expresses the various possibilities. When you open a signed and/or encrypted message, you get a screen with a number of items on it, with ticks or crosses by them. I forget exactly the list, but it'll include things like "signature verifies", "certificate trusted", "certificate issuer trusted", "certificate subject matches from address", and so on. (Things for expiry, too, I guess.) Then you need to click again to get to the message (which is what sucks---Netscrape does this much less intrusively, and much more appropriately, IMHO---also, when it's an encrypted message that you can't decrypt, it won't even show you the (unencrypted) headers, which is really dumb). However, there seem to be a number of possibilities. I think I'd like to be able to trust a CA, but still be warned if something signed by a certificate issued by it (i.e., I'd have a list of generally trusted CAs, but mostly I'd explicitly trust individual certificates). Anyway, this is making real progress---S/MIME support seems to be approaching PGP's in usability. > > Also, "openssl smime -verify ... -signer " extracts the > > certificate (presuming there is one). That strikes me as a very > > convenient feature to use. Especially considering that "openssl x509 > > -email -noout -in .pem" prints out a list of email addresses for > > the given certificate, which would presumably allow Gnus to check that > > the email addresses match with the From header. > > I've added support for this now. > > This message should be an example of this, if you got the verisign > cert in your CA path, it should say "Sender forged" (you might need to > do `W s' if you disabled auto-verification). If you click on the > button it should display the certificate found in this message so you > can spot why it happened. OK, I'll try reading it when I've updated my Gnus.