Simon Josefsson writes: > Arne Jørgensen writes: > >> I have written a patch for smime.el and mml-smime.el that implements >> this. > > Neat! > >> At the moment the functions are added to Gnus at the same places where >> you will find the support for getting certificates via DNS. So the >> functionality is only at hand if you choose to encrypt a part and not >> a message. But this is general problem not directly related to LDAP >> support.[1] > > This came up recently as well. If you want to work on fixing that, it > would be appreciated. See below. >> A major drawback is that it will only work with the Emacs 22 (the cvs >> version). This is partly because Emacs 21.3's ldap.el is written >> towards OpenLDAP v1 (and I think everybody uses OpenLDAP v2 these >> days) and partly because a regexp in that ldap.el does not recognise >> attribute description like the binary part of >> "userCertificate;binary". A patch for Emacs 21.3's ldap.el is >> attached. > > Can you post it to emacs-devel@gnu.org? If nobody objects to it, but > nobody apply it, ping me and I might be able to. Well, CVS Emacs' ldap.el is already written towards OpenLDAP v2 and I got the patches to retrieve ";binary" stuff applied about a week ago. There are no realeases planned in the 21.x series except for security fixes (like the newly released 21.4). The next realease from cvs trunk will be 22. In stead I have implemented a `smime-ldap-search' that will just call `ldap-search' when running in Emacs 22 an above, and use a slightly rewritten version of the same function in Emacs 21. See attached file and new patch to use it. >> I have not tested it on 20.7 (is it still supported by Gnus?). I >> tried building No Gnus on 20.7, but that didn't work (this may be >> because of a bad emacs installation on the machine with 20.7). It >> will probably not work on 20.7 because as fare as I can see there is >> no ldap.el in 20.7. > > CVS Gnus do not support 20.7. Great. I hadn't noticed. >> [1] Actually I will probably volunteer to reimplement the user >> interface to the S/MIME stuff. But before coding we should agree >> on how we would like it to be. (And PGP and S/MIME should probably >> share the same interface ideas and I know noting about PGP (yet)). > > Great. What is there to agree on? Is there something wrong with > making the MML tag for individual parts work on the "global" security > MML tag? I don't think so. That was part of what I was thinking on. Other thoughts are: - gnus should try to find the certificate without asking the user. Probably a list of preferred methods ('dns 'ldap 'file 'ask). - better access to locally cached certificates (this was mentioned in the recent thread on gnu.emacs.gnus also). We could just store the certificates in a dir with the email adress as file name. - maybe wait until the messages is to be sent before we ask which certificates to use. At the moment you will not sign/encrypt to adresse added after you have put ind the mml tags. Dns and ldap stores the certificates in a temporary buffer - what happens if you file the mail as a draft and leave Emacs? - havent verified this recently, but I think gnus will send a message even though openssl fails (ie because of a typo in the password). This should probably be considered a security bug. - use password.el to cache passwords as you mentioned on gnu.emacs.gnus. > Have you assigned copyright on your work? It is required before we > can install your patch. Yes. I signed papers for Gnus some time around christmas 2003. > Thanks! Always a pleasure. Kind regards, -- Arne Jørgensen