From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.user/2654 Path: news.gmane.org!not-for-mail From: Martin Christensen Newsgroups: gmane.emacs.gnus.user Subject: Re: S/MIME and encrypted certificates Date: Sun, 22 Jun 2003 00:55:03 +0200 Organization: Customer of Tiscali A/S Message-ID: <873ci39h2w.fsf@gvdnet.dk> References: <87d6h7bf7c.fsf@gvdnet.dk> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1138669007 15905 80.91.229.2 (31 Jan 2006 00:56:47 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Tue, 31 Jan 2006 00:56:47 +0000 (UTC) Original-X-From: nobody Tue Jan 17 17:31:01 2006 Original-Path: quimby.gnus.org!newsfeed.gazeta.pl!newsfeed.tpinternet.pl!newsfeed01.sul.t-online.de!t-online.de!feed.news.nacamar.de!news100.image.dk!news010.worldonline.dk.POSTED!gvdnet.dk!news Original-Newsgroups: gnu.emacs.gnus X-Conspiracy: There is _no_ Underpant Gnome Conspiracy! User-Agent: Gnus/5.1001 (Gnus v5.10.1) Emacs/21.2 (gnu/linux) Cancel-Lock: sha1:5KL078qAhJA2E+HBGgBfzi/dKDE= Original-NNTP-Posting-Host: 62.79.133.93 Original-X-Complaints-To: news-abuse@wol.dk Original-X-Trace: news010.worldonline.dk 1056236048 62.79.133.93 (Sun, 22 Jun 2003 00:54:08 MET DST) Original-NNTP-Posting-Date: Sun, 22 Jun 2003 00:54:08 MET DST Original-Xref: bridgekeeper.physik.uni-ulm.de gnus-emacs-gnus:2794 Original-Lines: 94 X-Gnus-Article-Number: 2794 Tue Jan 17 17:31:01 2006 Xref: news.gmane.org gmane.emacs.gnus.user:2654 Archived-At: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Simon" == Simon Josefsson writes: >> The Info pages about message security describe that when dealing >> with S/MIME, certificates are expected to be stored in PEM format, >> which is also explained to be unencrypted. For all things OpenPGP, >> it happily prompts me for a passphrase for my keyring. The >> authority that has given me this certificate does not allow the >> certificate to be stored unencrypted on disk. Simon> Do you mean the private key? Yes. >> Is it not possible to convince the SSL thingy (or whatever handles >> S/MIME) to do the same, or would I have to implement this myself >> (which doesn't look too difficult, at least using OpenSSL)? Simon> Actually smime.el support this now, the documentation is not up Simon> to date. I'll say! :-) I must say, I had a rather difficult time grokking much of the code, not because it itself is difficult to follow, but because the documentation gave me an impression that the code would work in a way that it doesn't. Oh well... Simon> When you sign a S/MIME message, Gnus asks you for a Simon> passphrase. This passphrase is passed on to OpenSSL via a Simon> environment variable and used to decrypt the PEM file. If the Simon> files aren't encrypted, just type RET as the passphrase. Yes, so I noticed. This seems a very strange way of doing it. The implementation to do so... well, I'm not much of an ELisp programmer, but it seemed to me that it could be made more straight-forward. Simon> (Environment variables may not be the best idea though, Simon> improvements are welcome. Passing the passphrase as a command-line argument seems the most straight-forward way of doing so. Here, have a diff. :-) I've done some rudimentary testing, and it seems to work fine. 249c249 < (passphrase (smime-ask-passphrase)) - --- > (passphrase (concat "pass:" (smime-ask-passphrase))) 251,252d250 < (if passphrase < (setenv "GNUS_SMIME_PASSPHRASE" passphrase)) 260,262c258 < (list "-passin" "env:GNUS_SMIME_PASSPHRASE")))) < (if passphrase < (setenv "GNUS_SMIME_PASSPHRASE" "" t)) - --- > (list "-passin" passphrase)))) 379c375 < CAs (passphrase (smime-ask-passphrase)) - --- > CAs (passphrase (concat "pass:" (smime-ask-passphrase))) 381,382d376 < (if passphrase < (setenv "GNUS_SMIME_PASSPHRASE" passphrase)) 388,390c382 < (list "-passin" "env:GNUS_SMIME_PASSPHRASE"))) < (if passphrase < (setenv "GNUS_SMIME_PASSPHRASE" "" t)) - --- > (list "-passin" passphrase))) Simon> However, if you decide to work on this, please consider Simon> modifying the S/MIME support in Gnus to use something else than Simon> OpenSSL, so the improvements eventually helps free software.) I'm not sure I understand you. Doesn't OpenSSL qualify as free software? From what I understand it's just standard OpenBSD stuff. Moreover, I am next to ignorant regarding the alternatives. What else can do S/MIME signatures, encryption and verification? Also, I don't really know much about S/MIME in general. Speaking of which, is it really necessary to include the public key (as I assume it is) with each message? Martin - -- Homepage: http://www.cs.auc.dk/~factotum/ GPG public key: http://www.cs.auc.dk/~factotum/gpgkey.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using Mailcrypt+GnuPG iEYEARECAAYFAj704kcACgkQYu1fMmOQldV87wCgyuJ64PsSk6p5lRMoWAKyE6+l eUoAoNVk2YhkFQgqafyYouZXMPi50xd4 =WmxD -----END PGP SIGNATURE-----