From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/59796 Path: main.gmane.org!not-for-mail From: =?utf-8?Q?Arne_J=C3=B8rgensen?= Newsgroups: gmane.emacs.gnus.general Subject: Re: Get certificate from LDAP for S/MIME encryption (patch) Date: Mon, 14 Feb 2005 23:50:43 +0100 Organization: Arne Joergensen -- http://arnested.dk/ Message-ID: <87wtta92nw.fsf@seamus.arnested.dk> References: <87u0ohv8vg.fsf@seamus.arnested.dk> <877jlbrzdq.fsf@seamus.arnested.dk> <871xbjarv7.fsf@seamus.arnested.dk> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: sea.gmane.org 1108498574 27494 80.91.229.2 (15 Feb 2005 20:16:14 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Tue, 15 Feb 2005 20:16:14 +0000 (UTC) Cc: ding@gnus.org Original-X-From: ding-owner+M8347@lists.math.uh.edu Tue Feb 15 21:16:13 2005 Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by ciao.gmane.org with esmtp (Exim 4.43) id 1D196N-0005pP-SH for ding-account@gmane.org; Tue, 15 Feb 2005 21:15:20 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu ident=lists) by malifon.math.uh.edu with smtp (Exim 3.20 #1) id 1D195H-0000od-00; Tue, 15 Feb 2005 14:14:11 -0600 Original-Received: from util2.math.uh.edu ([129.7.128.23]) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 1D18xY-0000MB-05 for ding@lists.math.uh.edu; Tue, 15 Feb 2005 14:06:12 -0600 Original-Received: from quimby.gnus.org ([80.91.224.244]) by util2.math.uh.edu with esmtp (Exim 4.30) id 1D0p3O-0005eA-BI for ding@lists.math.uh.edu; Mon, 14 Feb 2005 16:50:54 -0600 Original-Received: from daimi.au.dk ([130.225.16.1]) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1D0p3N-00087P-00 for ; Mon, 14 Feb 2005 23:50:53 +0100 Original-Received: from seamus.arnested.dk (213.237.94.152.sdsl.vbr.worldonline.dk [213.237.94.152] (may be forged)) (authenticated bits=0) by daimi.au.dk (8.12.11/8.12.11) with ESMTP id j1EMoiUi005625; Mon, 14 Feb 2005 23:50:45 +0100 Original-To: Simon Josefsson X-Face: 5t,7/Y$&<1A_t.$vC2{pWZ{m@3_06;kcm]no{hgEL/}Uz(>XV6cl4}xO\v?-h3%>znNaZtq `~rf,GY1T%r=a.zH`hOb(-]'x)nI088Z&|e;V^h;/TShou In-Reply-To: (Simon Josefsson's message of "Mon, 14 Feb 2005 23:36:03 +0100") User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/22.0.50 (gnu/linux) X-DAIMI-Spam-Score: 0.05 () FORGED_RCVD_HELO X-Scanned-By: MIMEDefang 2.44 X-Spam-Score: -4.9 (----) Precedence: bulk Original-Sender: ding-owner@lists.math.uh.edu X-MailScanner-From: ding-owner+m8347@lists.math.uh.edu X-MailScanner-To: ding-account@gmane.org Xref: main.gmane.org gmane.emacs.gnus.general:59796 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:59796 Simon Josefsson writes: > Arne J=C3=B8rgensen writes: >> The funny (load-library "net/ldap") was because the eudc package on my >> debian had an incompatible ldap.elc installed, but that might be a >> debian bug. > > I think it should be reported as a Debian bug. If it turns out this > might affect many people, maybe we can analyze the situation further > and come up with something better. Already reported >>> Is auto-querying from LDAP sources reliable? Is there any suitable >>> default-value for `smime-ldap-host-list'? It should be very safe to >>> auto-query DNS. >> >> Well the default value, nil, should be fine. Then no certificate is >> returned. And if the certificate is not found on the servers it ask >> nil is returned too. It should be pretty safe... > > And what if there is a non-nil value in the variable? Will the code > fall back and return nil on any failures? I.e., missing openldap, > network timeouts etc. Or will it throw an error? The latter should > be avoided, IMHO. There's room for testing here ;-) I'll have a closer look .. Wednesday. >> Didn't you work on integrating the gnutls libraries in emacs a long >> time ago? Could gnutls do s/mime stuff too? > > There is some PKCS#7 stuff in gnutls, so it might be possible to make > that work. But if gpgsm is supposed to be a free and generic S/MIME > implementation, I think we should try to avoid reinventing it before > we have tried harder to use it. I'll have another go at it sometime. You're right. From time to time I just dream about not having to depend on external programs -- after debugging with different versions of openldap and an openssl 0.9.7d (FC2) that segfaulted on smime -encrypt. >> Another thing I was thinking of was verifying usercertificates >> received through dns/ldap/filecache before using them. If we >> auto-query them, we shouldn't stop at the first found certificate in >> the search path but the first that verifies. > > User configurable, though.=20 Of course. > I would want an approach that, if there are multiple matching > certificates, uses one of that certificates that verify, if any, but > otherwise just pick any of them. Yes, or if no verifiable certificates is found ask (configurable) whether to use a certificate that doesn't verify. >> And then I just found a bug when you want to read a mail with an >> encrypted attachment. > > Send a patch. :) Sure. I'll look in to it Wednesday. Kind regards, --=20 Arne J=C3=B8rgensen