From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/86230 Path: news.gmane.org!not-for-mail From: Greg Troxel Newsgroups: gmane.emacs.gnus.general Subject: Re: Refactoring of mml1991.el, mml2015.el, mml-smime.el Date: Sun, 18 Oct 2015 10:09:32 -0400 Message-ID: References: <86wq8xffpv.fsf@informationelle-selbstbestimmung-im-internet.de> <87k2qmsrt1.fsf@informationelle-selbstbestimmung-im-internet.de> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-Trace: ger.gmane.org 1445177458 9167 80.91.229.3 (18 Oct 2015 14:10:58 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 18 Oct 2015 14:10:58 +0000 (UTC) Cc: ding@gnus.org To: Jens Lechtenboerger Original-X-From: ding-owner+M34464@lists.math.uh.edu Sun Oct 18 16:10:48 2015 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from lists1.math.uh.edu ([129.7.128.208]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Znoff-00047Q-G7 for ding-account@gmane.org; Sun, 18 Oct 2015 16:10:47 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by lists1.math.uh.edu with smtp (Exim 4.85) (envelope-from ) id 1Znoei-00083P-US; Sun, 18 Oct 2015 09:09:49 -0500 Original-Received: from mx1.math.uh.edu ([129.7.128.32]) by lists1.math.uh.edu with esmtps (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.85) (envelope-from ) id 1Znoeg-000838-3G for ding@lists.math.uh.edu; Sun, 18 Oct 2015 09:09:46 -0500 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx1.math.uh.edu with esmtps (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from ) id 1Znoed-0005Yn-S1 for ding@lists.math.uh.edu; Sun, 18 Oct 2015 09:09:45 -0500 Original-Received: from linuxpal.mit.edu ([18.62.1.14]) by quimby.gnus.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1Znoeb-0002dp-FN for ding@gnus.org; Sun, 18 Oct 2015 16:09:41 +0200 Original-Received: by linuxpal.mit.edu (Postfix, from userid 9545) id CC87016078; Sun, 18 Oct 2015 10:09:36 -0400 (EDT) OpenPGP: id=098ED60E X-Hashcash: 1:20:151018:jens.lechtenboerger@fsfe.org::laDm6OWOW29J0hGr:0000000000000000000000000000000000Xvu X-Hashcash: 1:20:151018:ding@gnus.org::laDm6OWOW29J0hGr:00005ezt In-Reply-To: <87k2qmsrt1.fsf@informationelle-selbstbestimmung-im-internet.de> (Jens Lechtenboerger's message of "Fri, 16 Oct 2015 18:26:34 +0200") User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.3 (berkeley-unix) X-Spam-Score: -4.9 (----) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:86230 Archived-At: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Jens Lechtenboerger writes: [I have not yet absorbed your entire message and am commenting selectively.] > * Passphrase caching > > If I=E2=80=99m not mistaken, with GnuPG 2.x (and gpgsm) passphrases canno= t be > cached within Emacs as gpg-agent is started automatically and tries to > invoke a pinentry program. So caching-related variables only apply to > GnuPG 1.x and S/MIME with openssl (I suggest not to advertise the > latter any longer, see separate point below). I'm not sure that it is "cannot", as it seems that gpg2 should be configurable not to use gpg-agent. But, I can't find that in the docs, and it seems clear that gpg-agent is the gnpug-recommended method. Also, one can use gpg-agent with gnupg1 with the "use-agent" option. > In fact, one of my test cases > (mml-epg-en-decrypt-passphrase-no-cache-smime-todo) > has an expected failure for gpgsm, as the cache is not inspected. > Another test case (mml-epg-en-decrypt-passphrase-no-cache-openpgp-todo) > is skipped for GnuPG 2.x. > Is there a way to cache passphrases within Emacs, even with gpgsm and > GnuPG 2.x? Are you saying that you think it is a good idea to cache passphrases within emacs, for general use, or to enable tests? > Note that GnuPG 2.x is where the development happens, and according to > GnuPG=E2=80=99s README, =E2=80=9C2.0 is the current stable version for ge= neral use=E2=80=9D, > while =E2=80=9C1.4 is the old standalone version which is most suitable f= or > older or embedded platforms.=E2=80=9D > So, if we cannot cache for the current stable version, should we not > recommend caching inside gpg-agent in general and get rid of the > associated code? Even if there was a way, should we not recommend > caching inside gpg-agent in general? I'm having a little trouble following "should we not". So if you mean: within elisp code in gnus/epg/etc. we should remove the code that caches passphrases we should expect people to use gnupg's gpg-agent(1) program to deal with caching if they want to cache, including telling people to do that with gnupg1. we should realize that openssl-based mime will not have any caching in emacs or externally, but that's ok because that code is or will be deprecated soon then that sounds good.=20=20=20=20 > * Preference for openssl vs epg (gpgsm) > > Currently, Gnus prefers openssl over epg (gpgsm), via > (defcustom mml-smime-use (if (featurep 'epg) 'epg 'openssl)) > in mml-smime.el. However, epg does not get loaded on its own even if it > is present. Thus, users need to set mml-smime-use or require epg in > their ~/.emacs, but the manual does not mention gpgsm at all. > Where would be an appropriate place to (require 'epg)? > I propose to change that preference in favor of epg (gpgsm) as: > ** Gpgsm manages certificates (storage, expiry, revocation). > Users need to perform those tasks manually with openssl. > ** Openssl has bugs as documented in the BUGS section of man smime(1). > In particular: SMIMECapabilities are ignored, no revocation checking > is done on the signer's certificate. > ** Advertised SMIMECapabilities include broken encryption algorithms. > With the precompiled openssl 1.0.1f on my system RC2 is advertised, > which should have been dropped since S/MIME 3.x, see: > https://tools.ietf.org/html/rfc5751#appendix-B Having tried to use both for S/MIME, I concur with recommending gpgsm. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlYjqBwACgkQH9p66AmO1g5cawCfQkZ4gXRGR7/QMfRM4Dc1hIKw 7LUAmgK68b295ZDot1jPIEmKKfxTvh6h =7zN9 -----END PGP SIGNATURE----- --=-=-=--