Bruce Stephens writes: > Just a couple of suggestions for signed email mostly. Most user > agents don't *require* that certificates verify (i.e., you don't > *have* to have the issuer's certificate). They complain loudly if the > certificate doesn't validate, obviously, but they allow you to trust a > specific certificate, without having to trust all certificates signed > by a particular issuer. > > Openssl allows this using the -noverify flag. So (in a pleasantly > contradictory fashion), "openssl smime -verify -noverify ..." makes > perfect sense. Yes. What would good defaults be? First try to verify message+certificate, with fall back to simply verify the message? In the second case, it could say something along the lines of [[S/MIME Signed: OK (Untrusted CA))]] What do you think? > Also, "openssl smime -verify ... -signer " extracts the > certificate (presuming there is one). That strikes me as a very > convenient feature to use. Especially considering that "openssl x509 > -email -noout -in .pem" prints out a list of email addresses for > the given certificate, which would presumably allow Gnus to check that > the email addresses match with the From header. I've added support for this now. This message should be an example of this, if you got the verisign cert in your CA path, it should say "Sender forged" (you might need to do `W s' if you disabled auto-verification). If you click on the button it should display the certificate found in this message so you can spot why it happened.