From: Greg Troxel <gdt@lexort.com>
To: Jens Lechtenboerger <jens.lechtenboerger@fsfe.org>
Cc: ding@gnus.org
Subject: Re: Refactoring of mml1991.el, mml2015.el, mml-smime.el
Date: Sun, 18 Oct 2015 10:09:32 -0400 [thread overview]
Message-ID: <smuvba4e09v.fsf@linuxpal.mit.edu> (raw)
In-Reply-To: <87k2qmsrt1.fsf@informationelle-selbstbestimmung-im-internet.de> (Jens Lechtenboerger's message of "Fri, 16 Oct 2015 18:26:34 +0200")
[-- Attachment #1: Type: text/plain, Size: 3469 bytes --]
Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:
[I have not yet absorbed your entire message and am commenting selectively.]
> * Passphrase caching
>
> If I’m not mistaken, with GnuPG 2.x (and gpgsm) passphrases cannot be
> cached within Emacs as gpg-agent is started automatically and tries to
> invoke a pinentry program. So caching-related variables only apply to
> GnuPG 1.x and S/MIME with openssl (I suggest not to advertise the
> latter any longer, see separate point below).
I'm not sure that it is "cannot", as it seems that gpg2 should be
configurable not to use gpg-agent. But, I can't find that in the docs,
and it seems clear that gpg-agent is the gnpug-recommended method.
Also, one can use gpg-agent with gnupg1 with the "use-agent" option.
> In fact, one of my test cases
> (mml-epg-en-decrypt-passphrase-no-cache-smime-todo)
> has an expected failure for gpgsm, as the cache is not inspected.
> Another test case (mml-epg-en-decrypt-passphrase-no-cache-openpgp-todo)
> is skipped for GnuPG 2.x.
> Is there a way to cache passphrases within Emacs, even with gpgsm and
> GnuPG 2.x?
Are you saying that you think it is a good idea to cache passphrases
within emacs, for general use, or to enable tests?
> Note that GnuPG 2.x is where the development happens, and according to
> GnuPG’s README, “2.0 is the current stable version for general use”,
> while “1.4 is the old standalone version which is most suitable for
> older or embedded platforms.”
> So, if we cannot cache for the current stable version, should we not
> recommend caching inside gpg-agent in general and get rid of the
> associated code? Even if there was a way, should we not recommend
> caching inside gpg-agent in general?
I'm having a little trouble following "should we not".
So if you mean:
within elisp code in gnus/epg/etc. we should remove the code that
caches passphrases
we should expect people to use gnupg's gpg-agent(1) program to deal
with caching if they want to cache, including telling people to do
that with gnupg1.
we should realize that openssl-based mime will not have any caching in
emacs or externally, but that's ok because that code is or will be
deprecated soon
then that sounds good.
> * Preference for openssl vs epg (gpgsm)
>
> Currently, Gnus prefers openssl over epg (gpgsm), via
> (defcustom mml-smime-use (if (featurep 'epg) 'epg 'openssl))
> in mml-smime.el. However, epg does not get loaded on its own even if it
> is present. Thus, users need to set mml-smime-use or require epg in
> their ~/.emacs, but the manual does not mention gpgsm at all.
> Where would be an appropriate place to (require 'epg)?
> I propose to change that preference in favor of epg (gpgsm) as:
> ** Gpgsm manages certificates (storage, expiry, revocation).
> Users need to perform those tasks manually with openssl.
> ** Openssl has bugs as documented in the BUGS section of man smime(1).
> In particular: SMIMECapabilities are ignored, no revocation checking
> is done on the signer's certificate.
> ** Advertised SMIMECapabilities include broken encryption algorithms.
> With the precompiled openssl 1.0.1f on my system RC2 is advertised,
> which should have been dropped since S/MIME 3.x, see:
> https://tools.ietf.org/html/rfc5751#appendix-B
Having tried to use both for S/MIME, I concur with recommending gpgsm.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 180 bytes --]
next prev parent reply other threads:[~2015-10-18 14:09 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-21 10:08 Default encryption for Message Jens Lechtenboerger
2014-09-23 20:02 ` Ted Zlatanov
2014-09-24 13:59 ` Jens Lechtenboerger
2014-09-24 15:28 ` Ted Zlatanov
2014-09-24 2:23 ` Daiki Ueno
2014-09-24 14:30 ` Jens Lechtenboerger
2014-09-25 3:06 ` Daiki Ueno
2014-09-25 16:18 ` Jens Lechtenboerger
2014-09-28 0:16 ` Daiki Ueno
2014-10-02 16:51 ` Jens Lechtenboerger
2015-10-16 16:26 ` Refactoring of mml1991.el, mml2015.el, mml-smime.el (was: Default encryption for Message) Jens Lechtenboerger
2015-10-18 7:36 ` Refactoring of mml1991.el, mml2015.el, mml-smime.el Peter Münster
2015-10-18 14:09 ` Greg Troxel [this message]
2015-10-19 12:58 ` Jens Lechtenboerger
2015-11-06 2:10 ` Daiki Ueno
2015-11-07 20:28 ` Jens Lechtenboerger
2015-11-11 6:20 ` Daiki Ueno
2015-11-14 15:44 ` Jens Lechtenboerger
2015-11-20 16:31 ` in defense of GitLab or something (was: Refactoring of mml1991.el, mml2015.el, mml-smime.el) Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=smuvba4e09v.fsf@linuxpal.mit.edu \
--to=gdt@lexort.com \
--cc=ding@gnus.org \
--cc=jens.lechtenboerger@fsfe.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).