Re: S/MIME and encrypted certificates

[Martin Christensen <knightsofspamalot-factotum@gvdnet.dk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Simon" == Simon Josefsson <jas@extundo.com> writes:
>> The Info pages about message security describe that when dealing
>> with S/MIME, certificates are expected to be stored in PEM format,
>> which is also explained to be unencrypted. For all things OpenPGP,
>> it happily prompts me for a passphrase for my keyring. The
>> authority that has given me this certificate does not allow the
>> certificate to be stored unencrypted on disk.
Simon> Do you mean the private key?

Yes.

>> Is it not possible to convince the SSL thingy (or whatever handles
>> S/MIME) to do the same, or would I have to implement this myself
>> (which doesn't look too difficult, at least using OpenSSL)?
Simon> Actually smime.el support this now, the documentation is not up
Simon> to date.

I'll say! :-) I must say, I had a rather difficult time grokking much
of the code, not because it itself is difficult to follow, but because
the documentation gave me an impression that the code would work in a
way that it doesn't. Oh well...

Simon> When you sign a S/MIME message, Gnus asks you for a
Simon> passphrase.  This passphrase is passed on to OpenSSL via a
Simon> environment variable and used to decrypt the PEM file.  If the
Simon> files aren't encrypted, just type RET as the passphrase.

Yes, so I noticed. This seems a very strange way of doing it. The
implementation to do so... well, I'm not much of an ELisp programmer,
but it seemed to me that it could be made more straight-forward.

Simon> (Environment variables may not be the best idea though,
Simon> improvements are welcome.

Passing the passphrase as a command-line argument seems the most
straight-forward way of doing so. Here, have a diff. :-) I've done
some rudimentary testing, and it seems to work fine.

249c249
< 	(passphrase (smime-ask-passphrase))
- ---
> 	(passphrase (concat "pass:" (smime-ask-passphrase)))
251,252d250
<     (if passphrase
< 	(setenv "GNUS_SMIME_PASSPHRASE" passphrase))
260,262c258
< 			      (list "-passin" "env:GNUS_SMIME_PASSPHRASE"))))
< 		(if passphrase
< 		    (setenv "GNUS_SMIME_PASSPHRASE" "" t))
- ---
> 			      (list "-passin" passphrase))))
379c375
< 	CAs (passphrase (smime-ask-passphrase))
- ---
> 	CAs (passphrase (concat "pass:" (smime-ask-passphrase)))
381,382d376
<     (if passphrase
< 	(setenv "GNUS_SMIME_PASSPHRASE" passphrase))
388,390c382
< 		       (list "-passin" "env:GNUS_SMIME_PASSPHRASE")))
< 	  (if passphrase
< 	      (setenv "GNUS_SMIME_PASSPHRASE" "" t))
- ---
> 		       (list "-passin" passphrase)))


Simon> However, if you decide to work on this, please consider
Simon> modifying the S/MIME support in Gnus to use something else than
Simon> OpenSSL, so the improvements eventually helps free software.)

I'm not sure I understand you. Doesn't OpenSSL qualify as free
software? From what I understand it's just standard OpenBSD stuff.
Moreover, I am next to ignorant regarding the alternatives. What else
can do S/MIME signatures, encryption and verification? Also, I don't
really know much about S/MIME in general. Speaking of which, is it
really necessary to include the public key (as I assume it is) with
each message?

Martin

- -- 
Homepage:       http://www.cs.auc.dk/~factotum/
GPG public key: http://www.cs.auc.dk/~factotum/gpgkey.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using Mailcrypt+GnuPG <http://www.gnupg.org>

iEYEARECAAYFAj704kcACgkQYu1fMmOQldV87wCgyuJ64PsSk6p5lRMoWAKyE6+l
eUoAoNVk2YhkFQgqafyYouZXMPi50xd4
=WmxD
-----END PGP SIGNATURE-----