From: "Arne Jørgensen" <arne@arnested.dk>
Cc: ding@gnus.org
Subject: Re: Get certificate from LDAP for S/MIME encryption (patch)
Date: Mon, 14 Feb 2005 23:50:43 +0100 [thread overview]
Message-ID: <87wtta92nw.fsf@seamus.arnested.dk> (raw)
In-Reply-To: <ilu1xbiydkc.fsf@latte.josefsson.org> (Simon Josefsson's message of "Mon, 14 Feb 2005 23:36:03 +0100")
Simon Josefsson <jas@extundo.com> writes:
> Arne Jørgensen <arne@arnested.dk> writes:
>> The funny (load-library "net/ldap") was because the eudc package on my
>> debian had an incompatible ldap.elc installed, but that might be a
>> debian bug.
>
> I think it should be reported as a Debian bug. If it turns out this
> might affect many people, maybe we can analyze the situation further
> and come up with something better.
Already reported
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295285>
>>> Is auto-querying from LDAP sources reliable? Is there any suitable
>>> default-value for `smime-ldap-host-list'? It should be very safe to
>>> auto-query DNS.
>>
>> Well the default value, nil, should be fine. Then no certificate is
>> returned. And if the certificate is not found on the servers it ask
>> nil is returned too. It should be pretty safe...
>
> And what if there is a non-nil value in the variable? Will the code
> fall back and return nil on any failures? I.e., missing openldap,
> network timeouts etc. Or will it throw an error? The latter should
> be avoided, IMHO.
There's room for testing here ;-) I'll have a closer look ..
Wednesday.
>> Didn't you work on integrating the gnutls libraries in emacs a long
>> time ago? Could gnutls do s/mime stuff too?
>
> There is some PKCS#7 stuff in gnutls, so it might be possible to make
> that work. But if gpgsm is supposed to be a free and generic S/MIME
> implementation, I think we should try to avoid reinventing it before
> we have tried harder to use it. I'll have another go at it sometime.
You're right. From time to time I just dream about not having to
depend on external programs -- after debugging with different versions
of openldap and an openssl 0.9.7d (FC2) that segfaulted on smime
-encrypt.
>> Another thing I was thinking of was verifying usercertificates
>> received through dns/ldap/filecache before using them. If we
>> auto-query them, we shouldn't stop at the first found certificate in
>> the search path but the first that verifies.
>
> User configurable, though.
Of course.
> I would want an approach that, if there are multiple matching
> certificates, uses one of that certificates that verify, if any, but
> otherwise just pick any of them.
Yes, or if no verifiable certificates is found ask (configurable)
whether to use a certificate that doesn't verify.
>> And then I just found a bug when you want to read a mail with an
>> encrypted attachment.
>
> Send a patch. :)
Sure. I'll look in to it Wednesday.
Kind regards,
--
Arne Jørgensen <http://arnested.dk/>
next prev parent reply other threads:[~2005-02-14 22:50 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-12 20:08 Arne Jørgensen
2005-02-13 0:22 ` Simon Josefsson
2005-02-13 16:10 ` Arne Jørgensen
2005-02-17 23:32 ` Arne Jørgensen
2005-02-13 20:02 ` Arne Jørgensen
2005-02-14 13:42 ` Arne Jørgensen
[not found] ` <877jlbrzdq.fsf@seamus.arnested.dk>
2005-02-14 15:37 ` Simon Josefsson
2005-02-14 19:01 ` Arne Jørgensen
2005-02-14 22:36 ` Simon Josefsson
2005-02-14 22:50 ` Arne Jørgensen [this message]
2005-02-14 23:02 ` Simon Josefsson
2005-02-17 23:27 ` Arne Jørgensen
2005-02-22 16:57 ` Simon Josefsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wtta92nw.fsf@seamus.arnested.dk \
--to=arne@arnested.dk \
--cc=ding@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).