How does one pgp/mime encrypt to different recipients?

How does one pgp/mime encrypt to different recipients?

[John A. Martin]

[-- Attachment #1: Type: text/plain, Size: 122 bytes --]

How does one encrypt mail to key user-ids other than those
auto-detected from the To/CC headers?

        jam





[-- Attachment #2: Type: application/pgp-signature, Size: 154 bytes --]

Re: How does one pgp/mime encrypt to different recipients?

[Simon Josefsson]

jam@jamux.com (John A. Martin) writes:

> How does one encrypt mail to key user-ids other than those
> auto-detected from the To/CC headers?

The old per-part MML tags `recipients' and `sender' works:

<#multipart encrypt=pgpmime recipients=foo@bar.com>

but they doesn't seem to work in the new <#secure> tag.  I'm not sure
why.

Re: How does one pgp/mime encrypt to different recipients?

[John A. Martin]

[-- Attachment #1: Type: text/plain, Size: 1338 bytes --]

>>>>> "Simon" == Simon Josefsson
>>>>> "Re: How does one pgp/mime encrypt to different recipients?"
>>>>>  Mon, 02 Sep 2002 22:07:11 +0200

    Simon> jam@jamux.com (John A. Martin) writes:
    >> How does one encrypt mail to key user-ids other than those
    >> auto-detected from the To/CC headers?

    Simon> The old per-part MML tags `recipients' and `sender' works:

Thank you for the quick response.

Being a newbe I don't know nut'n 'bout old stuff.  It all looks the
same to me.  :)

    Simon> #multipart encrypt=pgpmime recipients=foo@bar.com

Using something like

      example: #multipart encrypt=pgpmime recipients=comma,seperated,list[1]

worked OK for me except that when decrypting, also with ognus-5.07
(XEmacs-21.4p5), I saw no indication that their was a good signature
before encrypting.  Using something like

      example: #multipart sign=pgpmime encrypt=pgpmime recipients=l,i,s,t

also gave no hint what key if any had signed tha message.

How does one supply the --throw-keyid option?

    Simon> but they doesn't seem to work in the new <#secure> tag.
    Simon> I'm not sure why.

Will this get on someone's To Do list after appearing here?

Footnotes: 
[1]  What is a sure way of 'protecting' a line like this?  I finally
removed the pointy brackets.

        jam


[-- Attachment #2: Type: application/pgp-signature, Size: 154 bytes --]

Re: How does one pgp/mime encrypt to different recipients?

[Kai Großjohann]

jam@jamux.com (John A. Martin) writes:

> Footnotes: 
> [1]  What is a sure way of 'protecting' a line like this?  I finally
> removed the pointy brackets.

<menu-bar> <attachments> <quote mml>, C-c RET q (mml-quote-region)

kai
-- 
A large number of young women don't trust men with beards.  (BFBS Radio)

Re: How does one pgp/mime encrypt to different recipients?

[Josh Huber]

jam@jamux.com (John A. Martin) writes:

> Will this get on someone's To Do list after appearing here?

Typo.  I just checked in a fix for this so you can assign recipients
with the secure tag as well.

Please try it out!

-- 
Josh Huber

Re: How does one pgp/mime encrypt to different recipients?

[Simon Josefsson]

jam@jamux.com (John A. Martin) writes:

>     Simon> #multipart encrypt=pgpmime recipients=foo@bar.com
>
> Using something like
>
>       example: #multipart encrypt=pgpmime recipients=comma,seperated,list[1]
>
> worked OK for me except that when decrypting, also with ognus-5.07
> (XEmacs-21.4p5), I saw no indication that their was a good signature
> before encrypting.  

I'm not sure I understand, if encrypt=pgpmime is used the message
isn't be signed, I think.  Is this a problem?

> Using something like
>
>       example: #multipart sign=pgpmime encrypt=pgpmime recipients=l,i,s,t
>
> also gave no hint what key if any had signed tha message.

The default key is used when signing.  You can frob the default in
~/.gnupg/options, `mc-gpg-user-id' or `gpg-default-key-id'.

> How does one supply the --throw-keyid option?

Depends on which OpenPGP implementation interface is used.  Does the
comments in gpg.el or the Mailcrypt manual answer this?  I don't know
the answer.

Re: How does one pgp/mime encrypt to different recipients?

[David S Goldberg]

>>>>> On Tue, 03 Sep 2002 10:52:54 -0400, Josh Huber
>>>>> <huber@alum.wpi.edu> said: 

> jam@jamux.com (John A. Martin) writes:
>> Will this get on someone's To Do list after appearing here?

> Typo.  I just checked in a fix for this so you can assign recipients
> with the secure tag as well.

> Please try it out!


Does/should this work for s/mime?  If so what's the syntax for the
tag?  I've been completely unable to encrypt to multiple recipients
using the secure tag.  I always have to remember to use
mml-secure-encrypt-smime which only encrypts a single part, which
works for my simple text messages, but is clearly not the desired
approach.

Thanks,
-- 
Dave Goldberg
david.goldberg6@verizon.net

Re: How does one pgp/mime encrypt to different recipients?

[Josh Huber]

David S Goldberg <david.goldberg6@verizon.net> writes:

> Does/should this work for s/mime?  If so what's the syntax for the
> tag?  I've been completely unable to encrypt to multiple recipients
> using the secure tag.  I always have to remember to use
> mml-secure-encrypt-smime which only encrypts a single part, which
> works for my simple text messages, but is clearly not the desired
> approach.

I think it should work for s/mime, but I don't use it.  With s/mime do
you have to specify the recipeints each time, or can it look up based
on the recipient addresses in the headers?

I see now...(looking at mml-smime.el)

Right now I'm not calling the mml-smime-(sign|encrypt)-query
function. 

I don't have smime keys set up to test this, so could you try out this
patch?

Index: mml-sec.el
===================================================================
RCS file: /usr/local/cvsroot/gnus/lisp/mml-sec.el,v
retrieving revision 1.15
diff -u -r1.15 mml-sec.el
--- mml-sec.el	2002/05/08 16:12:53	1.15
+++ mml-sec.el	2002/09/04 15:20:26
@@ -161,7 +161,12 @@
 ;; defuns that add the proper <#secure ...> tag to the top of the message body
 (defun mml-secure-message (method &optional modesym)
   (let ((mode (prin1-to-string modesym))
-	insert-loc)
+	insert-loc
+        (recipients (funcall (nth 2 (assoc method
+                                           (if (or (eq modesym 'sign)
+                                                   (eq modesym 'signencrypt))
+                                               mml-sign-alist
+                                             mml-encrypt-alist))))))
     (mml-unsecure-message)
     (save-excursion
       (goto-char (point-min))
@@ -170,7 +175,7 @@
 	     (goto-char (setq insert-loc (match-end 0)))
 	     (unless (looking-at "<#secure")
 	       (mml-insert-tag
-		'secure 'method method 'mode mode)))
+		'secure 'method method 'mode mode recipients)))
 	    (t (error
 		"The message is corrupted. No mail header separator"))))
     (when (eql insert-loc (point))


If that doesn't work, can you tell me what the mml-smim-sign-query
function returns for you?  Does it include the "recipients" symbol?

Thanks,

-- 
Josh Huber

Re: How does one pgp/mime encrypt to different recipients?

[David S Goldberg]

I tried the patch but got the same behavior I got before.  For the To:
and Gcc: (I only know for sure by experimentation since it never asks
me for which key it's looking) it prompts me for the signing key and
password as well as an encryption key.  Nothing for those on the Cc.
Quite possibly because neither mml-smime-sign-query nor
mml-smime-encrypt-query have the symbol recipients in the returned
list.

Thanks,
-- 
Dave Goldberg
david.goldberg6@verizon.net

Re: How does one pgp/mime encrypt to different recipients?

[Josh Huber]

David S Goldberg <david.goldberg6@verizon.net> writes:

> I tried the patch but got the same behavior I got before.  For the
> To: and Gcc: (I only know for sure by experimentation since it never
> asks me for which key it's looking) it prompts me for the signing
> key and password as well as an encryption key.  Nothing for those on
> the Cc.  Quite possibly because neither mml-smime-sign-query nor
> mml-smime-encrypt-query have the symbol recipients in the returned
> list.

What would I need to do to setup a minimal s/mime config so I could
test this myself?

If I have a testing environment, I can probably fix this problem.

-- 
Josh Huber

Re: How does one pgp/mime encrypt to different recipients?

[David S Goldberg]

>>>>> On Thu, 05 Sep 2002 13:05:42 -0400, Josh Huber <huber@alum.wpi.edu> said:

> What would I need to do to setup a minimal s/mime config so I could
> test this myself?

> If I have a testing environment, I can probably fix this problem.

I wish I could provide more detail but I just use smime with the PKI
at work.  Some of my colleagues in the security business have set up
full blown PKI test environments with openssl and claim it isn't much
work but I don't know how they do it myself.

If it helps at all, my smime-related settings for gnus are:

	(setq
         smime-certificate-directory (expand-file-name "~/private/certs/")
         smime-CA-directory (expand-file-name "~/private/CAs")
         smime-keys (list (list "dsg@mitre.org"
                                 (concat smime-certificate-directory
                                         "dsg-20020208-20030802.pem"))
                          (list "old-dsg@mitre.org"
                                 (concat smime-certificate-directory
                                         "dsg-20000817-20020208.pem"))
                          (list "oldest-dsg@mitre.org"
                                 (concat smime-certificate-directory
                                         "dsg-19990224-20000817.pem"))))

That last one simply allows me to decrypt old messages by selecting
the key that was current at the time the message was sent.  The
smime-CA-directory contains a .pem file of our root key, which is used
to sign all staff keys.  I keep copies of the staff keys (pem format)
in smime-certificate-directory.  The openssl c_rehash command is
necessary in the CA directory.  I gathered from smime.el that it
should be run in the certificate directory as well, but I'm not sure
the hashes are actually used since I'm asked to provide the PEM file
explicitly.

Thanks,

-- 
Dave Goldberg
david.goldberg6@verizon.net