From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/33513 Path: main.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.emacs.gnus.general Subject: Re: S/MIME suggestions Date: 29 Nov 2000 22:22:38 +0100 Sender: owner-ding@hpc.uh.edu Message-ID: References: <871yvxdkm5.fsf_-_@cenderis.demon.co.uk> NNTP-Posting-Host: coloc-standby.netfonds.no Mime-Version: 1.0 Content-Type: multipart/signed ; protocol="application/x-pkcs7-signature" ; micalg=sha1 ; boundary="----C9DB307C9A22E7EE65DA0A14327B218E" X-Trace: main.gmane.org 1035169605 25543 80.91.224.250 (21 Oct 2002 03:06:45 GMT) X-Complaints-To: usenet@main.gmane.org NNTP-Posting-Date: Mon, 21 Oct 2002 03:06:45 +0000 (UTC) Cc: ding@gnus.org Return-Path: Original-Received: from spinoza.math.uh.edu (spinoza.math.uh.edu [129.7.128.18]) by mailhost.sclp.com (Postfix) with ESMTP id 89005D049C for ; Wed, 29 Nov 2000 18:27:09 -0500 (EST) Original-Received: from sina.hpc.uh.edu (lists@Sina.HPC.UH.EDU [129.7.3.5]) by spinoza.math.uh.edu (8.9.1/8.9.1) with ESMTP id RAB21273; Wed, 29 Nov 2000 17:26:41 -0600 (CST) Original-Received: by sina.hpc.uh.edu (TLB v0.09a (1.20 tibbs 1996/10/09 22:03:07)); Wed, 29 Nov 2000 17:24:04 -0600 (CST) Original-Received: from mailhost.sclp.com (postfix@66-209.196.61.interliant.com [209.196.61.66] (may be forged)) by sina.hpc.uh.edu (8.9.3/8.9.3) with ESMTP id RAA22542 for ; Wed, 29 Nov 2000 17:23:53 -0600 (CST) Original-Received: from dolk.extundo.com (dolk.extundo.com [195.42.214.242]) by mailhost.sclp.com (Postfix) with ESMTP id EB99ED049C for ; Wed, 29 Nov 2000 18:24:16 -0500 (EST) Original-Received: from barbar.josefsson.org (localhost.localdomain [127.0.0.1]) (authenticated) by dolk.extundo.com (8.11.1/8.11.1) with ESMTP id eATNO9000821; Thu, 30 Nov 2000 00:24:10 +0100 Original-To: Bruce Stephens In-Reply-To: <871yvxdkm5.fsf_-_@cenderis.demon.co.uk> Mail-Copies-To: nobody User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Channel Islands) Original-Lines: 36 Precedence: list X-Majordomo: 1.94.jlt7 Xref: main.gmane.org gmane.emacs.gnus.general:33513 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:33513 This is an S/MIME signed message ------C9DB307C9A22E7EE65DA0A14327B218E Content-Transfer-Encoding: quoted-printable Bruce Stephens writes: > Just a couple of suggestions for signed email mostly. Most user > agents don't *require* that certificates verify (i.e., you don't > *have* to have the issuer's certificate). They complain loudly if the > certificate doesn't validate, obviously, but they allow you to trust a > specific certificate, without having to trust all certificates signed > by a particular issuer. >=20 > Openssl allows this using the -noverify flag. So (in a pleasantly > contradictory fashion), "openssl smime -verify -noverify ..." makes > perfect sense. Yes. What would good defaults be? First try to verify message+certificate, with fall back to simply verify the message? In the second case, it could say something along the lines of [[S/MIME Signed: OK (Untrusted CA))]] What do you think? > Also, "openssl smime -verify ... -signer " extracts the > certificate (presuming there is one). That strikes me as a very > convenient feature to use. Especially considering that "openssl x509 > -email -noout -in .pem" prints out a list of email addresses for > the given certificate, which would presumably allow Gnus to check that > the email addresses match with the From header. I've added support for this now. This message should be an example of this, if you got the verisign cert in your CA path, it should say "Sender forged" (you might need to do `W s' if you disabled auto-verification). If you click on the button it should display the certificate found in this message so you can spot why it happened. ------C9DB307C9A22E7EE65DA0A14327B218E Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIF5wYJKoZIhvcNAQcCoIIF2DCCBdQCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHAaCCA7QwggOwMIIDGaADAgECAhBsg+Y3i+vMBSAWQjhkxGoAMA0GCSqGSIb3 DQEBBAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYG A1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXIt UGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTAwMTAyNzAwMDAwMFoXDTAwMTIyNjIz NTk1OVowggEDMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwG A1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMSYwJAYDVQQLEx1EaWdpdGFsIElE IENsYXNzIDEgLSBOZXRzY2FwZTEYMBYGA1UEAxQPU2ltb24gSm9zZWZzc29uMR0w GwYJKoZIhvcNAQkBFg5zakBleHR1bmRvLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA MEgCQQC84NIWwv7pJKVQxKQhDhQeDwhU1W2PPj4vyT7fYXG86vKEdxEv53RaxGkn 22QaT3MH1wkL+DJZh26ps6mkkOgdAgMBAAGjgZwwgZkwCQYDVR0TBAIwADBEBgNV HSAEPTA7MDkGC2CGSAGG+EUBBwEIMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3 LnZlcmlzaWduLmNvbS9ycGEwEQYJYIZIAYb4QgEBBAQDAgeAMDMGA1UdHwQsMCow KKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZI hvcNAQEEBQADgYEAJhareCB9JJBJKyK1+PacDTVkIo6YvTszaycRf7Ca5rsIjIsg uMGlgS7zIh4WYi0D07AJeo7Mm4y1GJ/m/laPYE3+d1gUDmmczD5CSJezLdqegksm +QPKFXnDqyePCzFBihs0ekLSaNBF0hkXNKFM7/ka3XI2zfCVmzDhhO/3u7YxggH7 MIIB9wIBATCB4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsT FlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5j b20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgx SDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3Jp YmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZAIQbIPmN4vrzAUgFkI4ZMRqADAJBgUr DgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF MQ8XDTAwMTEyOTIzMjQxM1owIwYJKoZIhvcNAQkEMRYEFJKm9MXR/SJQfOKJZS3p UEuc67bmMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwIC AgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqG SIb3DQEBAQUABEAslXvEL88mkzS29EHet4zIAPkpIe2+CK8RpKyhIar4e7U+JIBL J0d9i3dYxB8Q07EpNWhc7kPCp1GTkmL22OIW ------C9DB307C9A22E7EE65DA0A14327B218E--