RFC: use NSS for S/MIME

RFC: use NSS for S/MIME

[Daiki Ueno]

Hello,

After seeing Greg's report on S/MIME interoperability issue[1], I was
thinking that it might be a good idea to add an S/MIME backend using NSS
instead of gpgsm.

The rationale behind this are:

- The certificate/key database could be shared with other major MUAs,
  such as Evolution or Thunderbird.

- For OpenPGP, GnuPG is the de-facto and there is no free alternative.
  For S/MIME, however, NSS is more widely used, and I expect that it had
  been tested better.

What do people think?  I have a basic wrapper implementation[2] (though
I might not have time to finish the integration of it into Gnus).

Regards,

Footnotes: 
[1]  http://article.gmane.org/gmane.emacs.gnus.general/86677

[2]  https://github.com/ueno/smime-nss-el

-- 
Daiki Ueno

Re: RFC: use NSS for S/MIME

[Jens Lechtenboerger]

On 2016-03-03, at 17:20, Daiki Ueno wrote:

> Hello,
>
> After seeing Greg's report on S/MIME interoperability issue[1], I was
> thinking that it might be a good idea to add an S/MIME backend using NSS
> instead of gpgsm.
> [...]

How would certificate management (import, expiry) work with NSS?

Best wishes
Jens

Re: RFC: use NSS for S/MIME

[Daiki Ueno]

Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:

> How would certificate management (import, expiry) work with NSS?

That can be done with the "certutil" command.  Maybe there could be an
Elisp interface around it.

Regards,
-- 
Daiki Ueno

Re: RFC: use NSS for S/MIME

[Jens Lechtenboerger]

On 2016-03-05, at 07:38, Daiki Ueno wrote:

> Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:
>
>> How would certificate management (import, expiry) work with NSS?
>
> That can be done with the "certutil" command.  Maybe there could be an
> Elisp interface around it.

I never used NSS tools before and just gave it a try.

What do you think about using cmsutil (with switches -D -k) for
signature verification instead of (or in addition to) signver, which
would import non-root certificates automatically?

BTW, I failed to use signver on the command line with switch -s: The
tool truncated my signature file and waited on stdin for a
signature.  Is that a bug or am I missing something?  (Redirection
from stdin without -s, similarly to your code, worked.)

Best wishes
Jens

Re: RFC: use NSS for S/MIME

[Greg Troxel]

[-- Attachment #1: Type: text/plain, Size: 1074 bytes --]


Daiki Ueno <ueno@gnu.org> writes:

> After seeing Greg's report on S/MIME interoperability issue[1], I was
> thinking that it might be a good idea to add an S/MIME backend using NSS
> instead of gpgsm.

Sorry, I've had gnus paged out while dealing with other $DAYJOB issues.

> The rationale behind this are:
>
> - The certificate/key database could be shared with other major MUAs,
>   such as Evolution or Thunderbird.
>
> - For OpenPGP, GnuPG is the de-facto and there is no free alternative.
>   For S/MIME, however, NSS is more widely used, and I expect that it had
>   been tested better.
>
> What do people think?  I have a basic wrapper implementation[2] (though
> I might not have time to finish the integration of it into Gnus).
>
> Regards,
>
> Footnotes: 
> [1]  http://article.gmane.org/gmane.emacs.gnus.general/86677
>
> [2]  https://github.com/ueno/smime-nss-el

I think this would be great.  I realize nss may have its own issues, but
given that it exists and is in use, letting gnus use either seems like a
big step forward.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 180 bytes --]