signing and encrypting with new <#secure> tag

signing and encrypting with new <#secure> tag

[David S. Goldberg]

[-- Attachment #1: Type: text/plain, Size: 301 bytes --]

Using smime, it appears that I am unable to both encrypt and sign a
message.  If I try to force two <#secure ...> tags, or put two modes
into a single one, I only get whatever is placed first.  Right now I
have a workaround, Running both mml-secure-sign-smime and
mml-secure-encrypt-smime generates a 

[-- Attachment #2: Type: text/plain, Size: 137 bytes --]

tag that handles both
signing and encrypting, but those commands are obviously deprecated.
-- 
Dave Goldberg
david.goldberg6@verizon.net

Re: signing and encrypting with new <#secure> tag

[Josh Huber]

david.goldberg6@verizon.net (David S. Goldberg) writes:

> Using smime, it appears that I am unable to both encrypt and sign a
> message.  If I try to force two <#secure ...> tags, or put two modes
> into a single one, I only get whatever is placed first.  Right now I
> have a workaround, Running both mml-secure-sign-smime and
> mml-secure-encrypt-smime generates a tag that handles both signing
> and encrypting, but those commands are obviously deprecated.

Well, they're not deprecated really, but they don't do the Right Thing
when your message has multiple parts.  Those functions are for signing
& encrypting parts of a message, and the <#secure tags are basically a
meta tag which expands to either a part or multipart tag depending on
if there are attachments in the message.

Now, as for encrypt & sign, what to do?

I don't use S/MIME, so I didn't get a chance to test the secure tags
for it.

With PGP/MIME right now encrypting signs as well...

There are basically 2 ways to do it with PGP/MIME:

1) sign the message using standard PGP/MIME signing, then encrypt that
   message.
2) encrypt the message with an embedded signature (using --sign with
   GnuPG)

I like method 2, since it happens with one pass of gpg, and is less
computatationally intensive. (and seems cleaner as well!)

Right now if you do <!part sign=pgpmime encrypt=pgpmime> it does
method #1...well, actually it signs the message, then encrypts it with
the embedded signature. (since the gpg encrypt functions automatically
use --sign when encrypting)

How does S/MIME handle sign+encrypt?

Just curious, since I'd like to change the default to
mode=signencrypt, but have the ability to use encrypt only as well.

I'm about to commit a fix which does change this.  Look at
lisp/mml-sec.el (at the bottom) for more information.

Basically, the pgp and pgpmime functions use mode=encrypt for now
(always), but the smime ones default to signencrypt.  I've set it up
so if you give the encrypt option a prefix argument it goes back to
only encrypting.

Please try it out!

PS:
on a side note, is there anything equivalent to ,@ for use outside of
backquote? I often find that it would be useful to flatten a list in
place without surrounding the outside form with `.

-- 
Josh Huber

Re: signing and encrypting with new <#secure> tag

[David S. Goldberg]

>>>>> On Sat, 13 Apr 2002 23:49:25 -0400, Josh Huber
>>>>> <huber@alum.wpi.edu> said:

> Well, they're not deprecated really, but they don't do the Right Thing
> when your message has multiple parts.  Those functions are for signing
> & encrypting parts of a message, and the <#secure tags are basically a
> meta tag which expands to either a part or multipart tag depending on
> if there are attachments in the message.

Ah.  Thank you for that.  I hadn't tried doing anything with
attachments and so didn't notice.

> Now, as for encrypt & sign, what to do?

> I don't use S/MIME, so I didn't get a chance to test the secure tags
> for it.

> With PGP/MIME right now encrypting signs as well...

> There are basically 2 ways to do it with PGP/MIME:

> 1) sign the message using standard PGP/MIME signing, then encrypt that
>    message.
> 2) encrypt the message with an embedded signature (using --sign with
>    GnuPG)

> How does S/MIME handle sign+encrypt?

I've only ever got openssl to handle option 1.  It looks like it
should be able to do option 2, but I haven't ever figured out how to
do so properly.  If I try to sign and encrypt in the same command line
I end up with complaints about unable to decrypt PKCS7 structure.

> Basically, the pgp and pgpmime functions use mode=encrypt for now
> (always), but the smime ones default to signencrypt.  I've set it up
> so if you give the encrypt option a prefix argument it goes back to
> only encrypting.

> Please try it out!

It works great.  Thanks!

-- 
Dave Goldberg
david.goldberg6@verizon.net

Re: signing and encrypting with new <#secure> tag

[Josh Huber]

david.goldberg6@verizon.net (David S. Goldberg) writes:

> If I try to sign and encrypt in the same command line I end up with
> complaints about unable to decrypt PKCS7 structure.

Okay, so that means S/MIME should default to doing two separate
commands for sign+encrypt.  Perhaps tonight I'll dig into the mml2015
stuff to figure out what controls a sign+encrypt.  Of course, this
being Gnus, we should make this ridiculously configurable! ;)

> It works great.  Thanks!

Excellent.

-- 
Josh Huber