From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/59801
Path: main.gmane.org!not-for-mail
From: Simon Josefsson <jas@extundo.com>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: Get certificate from LDAP for S/MIME encryption (patch)
Date: Mon, 14 Feb 2005 16:37:04 +0100
Message-ID: <iluis4vxie7.fsf@latte.josefsson.org>
References: <87u0ohv8vg.fsf@seamus.arnested.dk>
	<iluwttdtijs.fsf@latte.josefsson.org>
	<877jlbrzdq.fsf@seamus.arnested.dk>
NNTP-Posting-Host: main.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Trace: sea.gmane.org 1108498627 27640 80.91.229.2 (15 Feb 2005 20:17:07 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Tue, 15 Feb 2005 20:17:07 +0000 (UTC)
Cc: ding@gnus.org
Original-X-From: ding-owner+M8342@lists.math.uh.edu Tue Feb 15 21:17:07 2005
Original-Received: from malifon.math.uh.edu ([129.7.128.13])
	by ciao.gmane.org with esmtp (Exim 4.43)
	id 1D196O-0005pY-K0
	for ding-account@gmane.org; Tue, 15 Feb 2005 21:15:21 +0100
Original-Received: from localhost
	([127.0.0.1] helo=lists.math.uh.edu ident=lists)
	by malifon.math.uh.edu with smtp (Exim 3.20 #1)
	id 1D194A-0000jI-00; Tue, 15 Feb 2005 14:13:02 -0600
Original-Received: from util2.math.uh.edu ([129.7.128.23])
	by malifon.math.uh.edu with esmtp (Exim 3.20 #1)
	id 1D18xa-0000MB-09
	for ding@lists.math.uh.edu; Tue, 15 Feb 2005 14:06:14 -0600
Original-Received: from quimby.gnus.org ([80.91.224.244])
	by util2.math.uh.edu with esmtp (Exim 4.30)
	id 1D0iHx-0007P4-No
	for ding@lists.math.uh.edu; Mon, 14 Feb 2005 09:37:29 -0600
Original-Received: from 178.230.13.217.in-addr.dgcsystems.net ([217.13.230.178] helo=yxa.extundo.com)
	by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian))
	id 1D0iHu-0002lL-00
	for <ding@gnus.org>; Mon, 14 Feb 2005 16:37:26 +0100
Original-Received: from latte.josefsson.org (c494102a.s-bi.bostream.se [217.215.27.65])
	(authenticated bits=0)
	by yxa.extundo.com (8.13.2/8.13.2/Debian-1) with ESMTP id j1EFb9QU015406
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Mon, 14 Feb 2005 16:37:11 +0100
Original-To: Arne =?iso-8859-1?Q?J=F8rgensen?= <arne@arnested.dk>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:21:050214:arne@arnested.dk::hcLUU8xmcgXRs3Bd:BAYZ
X-Hashcash: 1:21:050214:ding@gnus.org::MCVKTOnL/4jJqzE8:vWu
In-Reply-To: <877jlbrzdq.fsf@seamus.arnested.dk> (Arne =?iso-8859-1?Q?J=F8?=
 =?iso-8859-1?Q?rgensen's?= message of
	"Mon, 14 Feb 2005 15:26:41 +0100")
User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/22.0.50 (gnu/linux)
X-Spam-Status: No, score=0.1 required=5.0 tests=FORGED_RCVD_HELO 
	autolearn=failed version=3.0.2
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on yxa-iv
X-Virus-Scanned: ClamAV version 0.81, clamav-milter version 0.81b on yxa.extundo.com
X-Virus-Status: Clean
X-MIME-Autoconverted: from 8bit to quoted-printable by yxa.extundo.com id j1EFb9QU015406
X-Spam-Score: -4.9 (----)
Precedence: bulk
Original-Sender: ding-owner@lists.math.uh.edu
X-MailScanner-From: ding-owner+m8342@lists.math.uh.edu
X-MailScanner-To: ding-account@gmane.org
Xref: main.gmane.org gmane.emacs.gnus.general:59801
X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:59801

Arne J=F8rgensen <arne@arnested.dk> writes:

> Simon Josefsson <jas@extundo.com> writes:
>
> Hi Simon,
>
> I'm sending this to you as e-mail because I have tried to post it to
> gmane.emacs.gnus.general three times now without success. Feel free to
> forward it to the list.

I've cc'ed the mailing list.

FWIW, with this setting:

 '(gnus-mailing-list-groups "gmane\\|gnus.gnus-bug")
 '(message-extra-wide-headers (quote ("Original-To")))

You can read from gmane group, and posting will go via e-mail instead
of via gmane.org.

There are some advantages with this approach: hashcash works, no
connectivity dependency on gmane.org for posting, authors are Cc'ed
properly.

And some disadvantages: you need to be subscribed to subscriber-only
lists.

> Well, CVS Emacs' ldap.el is already written towards OpenLDAP v2 and
> I got the patches to retrieve ";binary" stuff applied about a week
> ago.

Great.

> In stead I have implemented a `smime-ldap-search' that will just call
> `ldap-search' when running in Emacs 22 an above, and use a slightly
> rewritten version of the same function in Emacs 21. See attached file
> and new patch to use it.

Applied.  I modified some things, please verify it still work.

>>> [1] Actually I will probably volunteer to reimplement the user
>>>     interface to the S/MIME stuff. But before coding we should agree
>>>     on how we would like it to be. (And PGP and S/MIME should probably
>>>     share the same interface ideas and I know noting about PGP (yet)).
>>
>> Great.  What is there to agree on?  Is there something wrong with
>> making the MML tag for individual parts work on the "global" security
>> MML tag?
>
> I don't think so. That was part of what I was thinking on.

Thanks for working on this!  I wish I had more time to help.

> Other thoughts are:
>
>  - gnus should try to find the certificate without asking the user.
>    Probably a list of preferred methods ('dns 'ldap 'file 'ask).

Yup.

Btw, I changed the default from dns to ldap.

Is auto-querying from LDAP sources reliable?  Is there any suitable
default-value for `smime-ldap-host-list'?  It should be very safe to
auto-query DNS.

>  - better access to locally cached certificates (this was mentioned in
>    the recent thread on gnu.emacs.gnus also). We could just store the
>    certificates in a dir with the email adress as file name.

Yes.

I wish there was a standard for Unix S/MIME MUAs for this, so Gnus
wouldn't have to invent its own ideas.

>  - maybe wait until the messages is to be sent before we ask which
>    certificates to use. At the moment you will not sign/encrypt to
>    adresse added after you have put ind the mml tags. Dns and
>    ldap stores the certificates in a temporary buffer - what happens
>    if you file the mail as a draft and leave Emacs?

Good point.  The current behavior could probably be considered a bug.

>  - havent verified this recently, but I think gnus will send a message
>    even though openssl fails (ie because of a typo in the password).
>    This should probably be considered a security bug.

Yup.

>  - use password.el to cache passwords as you mentioned on
>    gnu.emacs.gnus.

Yup.

IMHO, there is another major important item:

- Replace use of OpenSSL with gpgsm.

I will try to work on that.  I started some time ago, but never got
gpgsm to sign messages properly.  If we fix this last OpenSSL use in
Gnus, there wouldn't be no need for Gnus users to ever have to install
OpenSSL, which I consider to be a big win.

Thanks,
Simon