Jens Lechtenboerger writes: [I have not yet absorbed your entire message and am commenting selectively.] > * Passphrase caching > > If I’m not mistaken, with GnuPG 2.x (and gpgsm) passphrases cannot be > cached within Emacs as gpg-agent is started automatically and tries to > invoke a pinentry program. So caching-related variables only apply to > GnuPG 1.x and S/MIME with openssl (I suggest not to advertise the > latter any longer, see separate point below). I'm not sure that it is "cannot", as it seems that gpg2 should be configurable not to use gpg-agent. But, I can't find that in the docs, and it seems clear that gpg-agent is the gnpug-recommended method. Also, one can use gpg-agent with gnupg1 with the "use-agent" option. > In fact, one of my test cases > (mml-epg-en-decrypt-passphrase-no-cache-smime-todo) > has an expected failure for gpgsm, as the cache is not inspected. > Another test case (mml-epg-en-decrypt-passphrase-no-cache-openpgp-todo) > is skipped for GnuPG 2.x. > Is there a way to cache passphrases within Emacs, even with gpgsm and > GnuPG 2.x? Are you saying that you think it is a good idea to cache passphrases within emacs, for general use, or to enable tests? > Note that GnuPG 2.x is where the development happens, and according to > GnuPG’s README, “2.0 is the current stable version for general use”, > while “1.4 is the old standalone version which is most suitable for > older or embedded platforms.” > So, if we cannot cache for the current stable version, should we not > recommend caching inside gpg-agent in general and get rid of the > associated code? Even if there was a way, should we not recommend > caching inside gpg-agent in general? I'm having a little trouble following "should we not". So if you mean: within elisp code in gnus/epg/etc. we should remove the code that caches passphrases we should expect people to use gnupg's gpg-agent(1) program to deal with caching if they want to cache, including telling people to do that with gnupg1. we should realize that openssl-based mime will not have any caching in emacs or externally, but that's ok because that code is or will be deprecated soon then that sounds good. > * Preference for openssl vs epg (gpgsm) > > Currently, Gnus prefers openssl over epg (gpgsm), via > (defcustom mml-smime-use (if (featurep 'epg) 'epg 'openssl)) > in mml-smime.el. However, epg does not get loaded on its own even if it > is present. Thus, users need to set mml-smime-use or require epg in > their ~/.emacs, but the manual does not mention gpgsm at all. > Where would be an appropriate place to (require 'epg)? > I propose to change that preference in favor of epg (gpgsm) as: > ** Gpgsm manages certificates (storage, expiry, revocation). > Users need to perform those tasks manually with openssl. > ** Openssl has bugs as documented in the BUGS section of man smime(1). > In particular: SMIMECapabilities are ignored, no revocation checking > is done on the signer's certificate. > ** Advertised SMIMECapabilities include broken encryption algorithms. > With the precompiled openssl 1.0.1f on my system RC2 is advertised, > which should have been dropped since S/MIME 3.x, see: > https://tools.ietf.org/html/rfc5751#appendix-B Having tried to use both for S/MIME, I concur with recommending gpgsm.