From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/59799 Path: main.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.emacs.gnus.general Subject: Re: Get certificate from LDAP for S/MIME encryption (patch) Date: Mon, 14 Feb 2005 23:36:03 +0100 Message-ID: References: <87u0ohv8vg.fsf@seamus.arnested.dk> <877jlbrzdq.fsf@seamus.arnested.dk> <871xbjarv7.fsf@seamus.arnested.dk> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: sea.gmane.org 1108498575 27502 80.91.229.2 (15 Feb 2005 20:16:15 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Tue, 15 Feb 2005 20:16:15 +0000 (UTC) Cc: ding@gnus.org Original-X-From: ding-owner+M8339@lists.math.uh.edu Tue Feb 15 21:16:15 2005 Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by ciao.gmane.org with esmtp (Exim 4.43) id 1D196M-0005pJ-DM for ding-account@gmane.org; Tue, 15 Feb 2005 21:15:18 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu ident=lists) by malifon.math.uh.edu with smtp (Exim 3.20 #1) id 1D191s-0000W7-00; Tue, 15 Feb 2005 14:10:40 -0600 Original-Received: from util2.math.uh.edu ([129.7.128.23]) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 1D18xZ-0000MB-00 for ding@lists.math.uh.edu; Tue, 15 Feb 2005 14:06:13 -0600 Original-Received: from quimby.gnus.org ([80.91.224.244]) by util2.math.uh.edu with esmtp (Exim 4.30) id 1D0opR-0005Qq-Uj for ding@lists.math.uh.edu; Mon, 14 Feb 2005 16:36:30 -0600 Original-Received: from 178.230.13.217.in-addr.dgcsystems.net ([217.13.230.178] helo=yxa.extundo.com) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1D0opL-0007rh-00 for ; Mon, 14 Feb 2005 23:36:23 +0100 Original-Received: from latte.josefsson.org (c494102a.s-bi.bostream.se [217.215.27.65]) (authenticated bits=0) by yxa.extundo.com (8.13.2/8.13.2/Debian-1) with ESMTP id j1EMa8Ef002698 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 14 Feb 2005 23:36:08 +0100 Original-To: Arne =?iso-8859-1?Q?J=F8rgensen?= OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:21:050214:arne@arnested.dk::lRdZXrJTGPS5uRUt:0Zvz X-Hashcash: 1:21:050214:ding@gnus.org::QU1y8ttM25K55R5+:449O In-Reply-To: <871xbjarv7.fsf@seamus.arnested.dk> (Arne =?iso-8859-1?Q?J=F8?= =?iso-8859-1?Q?rgensen's?= message of "Mon, 14 Feb 2005 20:01:00 +0100") User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/22.0.50 (gnu/linux) X-Spam-Status: No, score=0.1 required=5.0 tests=FORGED_RCVD_HELO autolearn=failed version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on yxa-iv X-Virus-Scanned: ClamAV version 0.81, clamav-milter version 0.81b on yxa.extundo.com X-Virus-Status: Clean X-MIME-Autoconverted: from 8bit to quoted-printable by yxa.extundo.com id j1EMa8Ef002698 X-Spam-Score: -4.9 (----) Precedence: bulk Original-Sender: ding-owner@lists.math.uh.edu X-MailScanner-From: ding-owner+m8339@lists.math.uh.edu X-MailScanner-To: ding-account@gmane.org Xref: main.gmane.org gmane.emacs.gnus.general:59799 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:59799 Arne J=F8rgensen writes: >>> In stead I have implemented a `smime-ldap-search' that will just call >>> `ldap-search' when running in Emacs 22 an above, and use a slightly >>> rewritten version of the same function in Emacs 21. See attached file >>> and new patch to use it. >> >> Applied. I modified some things, please verify it still work. > > All looks fine and still works. Great! > The funny (load-library "net/ldap") was because the eudc package on my > debian had an incompatible ldap.elc installed, but that might be a > debian bug. I think it should be reported as a Debian bug. If it turns out this might affect many people, maybe we can analyze the situation further and come up with something better. >> Is auto-querying from LDAP sources reliable? Is there any suitable >> default-value for `smime-ldap-host-list'? It should be very safe to >> auto-query DNS. > > Well the default value, nil, should be fine. Then no certificate is > returned. And if the certificate is not found on the servers it ask > nil is returned too. It should be pretty safe... And what if there is a non-nil value in the variable? Will the code fall back and return nil on any failures? I.e., missing openldap, network timeouts etc. Or will it throw an error? The latter should be avoided, IMHO. >> IMHO, there is another major important item: >> >> - Replace use of OpenSSL with gpgsm. >> >> I will try to work on that. I started some time ago, but never got >> gpgsm to sign messages properly. If we fix this last OpenSSL use in >> Gnus, there wouldn't be no need for Gnus users to ever have to install >> OpenSSL, which I consider to be a big win. > > I knew ;-) > > Unfortunately there is no gpgsm in debian/unstable but replacing > openssl would be really good! gpgsm appear to be a bit unstable. It would be nice if someone packaged it, though. > Didn't you work on integrating the gnutls libraries in emacs a long > time ago? Could gnutls do s/mime stuff too? There is some PKCS#7 stuff in gnutls, so it might be possible to make that work. But if gpgsm is supposed to be a free and generic S/MIME implementation, I think we should try to avoid reinventing it before we have tried harder to use it. I'll have another go at it sometime. > Another thing I was thinking of was verifying usercertificates > received through dns/ldap/filecache before using them. If we > auto-query them, we shouldn't stop at the first found certificate in > the search path but the first that verifies. User configurable, though. I would want an approach that, if there are multiple matching certificates, uses one of that certificates that verify, if any, but otherwise just pick any of them. > And then I just found a bug when you want to read a mail with an > encrypted attachment. Send a patch. :) Thanks.