jens.lechtenboerger@fsfe.org writes:

> Greg Troxel <gdt@lexort.com> writes:
>
>>> My recommendation is to stay away from openssl.  Use gpgsm.
>>
>> So perhaps the defaults should be flipped in gnus, so that epg/gpgsm is
>> used, throwing an error if not found (or silently not decoding merely
>> signed?), unless someone has explicitly asked for the openssl version?
>
> Yes, I agree.  Actually, I plan to propose that later this month.
> Currently, I’m working on the refactoring of encryption related code in
> Gnus that I proposed more than a year ago on this list.

I look forward to testing this.

Following up on some previous discussion:

In theory an S/MIME implementation could allow for flexible
user-controlled key management, where one could choose to trust an
end-user cert without enabling a CA.   But having tried this with
Mail.app and gpgsm, I find that you are entirely right and that the
standard PKI model is very baked in.   With gpgsm this is about just
mail, but with Mail.app it gets into "do you want to trust random
company's CA for x.509 certs in general".

Thanks for the advice about this.

Greg