[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Automatic retrieval of certificates (S/MIME)
From: |
Simon Josefsson |
Subject: |
Re: Automatic retrieval of certificates (S/MIME) |
Date: |
Thu, 27 Jan 2005 19:33:02 +0100 |
User-agent: |
Gnus/5.110003 (No Gnus v0.3) Emacs/21.3.50 (gnu/linux) |
Stefan Kamphausen <skampi@gmx.de> writes:
> Hi,
>
> today I've been playing around with the S/MIME stuff in Gnus. While
> it all works as expected there is one glitch that I can't fix anyhow.
>
> When I send a message to a friend using his certificate to encrypt and
> mine to sign the message I have to explicitly state which certificate
> to use for signing (at least this is filled with a reasonable default
> from smime-keys) and which for encryption (this is just a
> read-file-name on the smime-certificate-directory. It would be very
> nice if those were picked according to the recipients email adress
> taken from the "To:"-header and the "From:" adress respectively.
Yes, although I'm not sure how to implement that. Mapping e-mail
addresses to S/MIME certificates is not well standardized under Unix.
There is no per-user S/MIME directory on the local machine to use.
If you want to think about how this would work, and perhaps implement
it, that would be very useful.
> Furthermore the sending of the message keeps asking me for another
> round of signature and encryption certificate. This time it's for the
> saving of the message in the Gcc-Header (at least I think I found that
> by doing some experiments, giving the false encryption argument leads
> to my not being able to decrypt the message when viewing my
> sent-box). The most confusing part in this is that I can't see from
> the prompts or the message display for which recipient I have to give
> the encryption key.
Your analysis is correct. There is a variable that you can set so the
GCC'd copy contain the raw MML tags instead of the encoded version.
The reason for encoding things twice is that encoding a message for
mail/news is in theory different from encoding it for GCC. The same
formatting logic cannot always be used. So that's why Gnus encode the
message twice. It is arguable a bug. On the other hand, a better
solution might be to make S/MIME sign/encrypt so smooth that you
wouldn't care that it is encoded twice.
If you want what is sent through mail, you can use 'Bcc' instead of
'Gcc'.
> Am I missing something here? I've dived into mml-sec.el and
> mml-smime.el and I think that the insertion of the mml statement
> _might_ already contain the certificates but maybe I just didn't
> understand it.
You can specify the key/cert in the MML tags, if that is what you
meant. See 'MML Definition' in the Emacs MIME manual. You can say,
e.g.:
<#part sign=smime keyfile="~/cacert.user.key">
Hm. I now realize that part of what you are wishing for is already
implemented for the S/MIME partial signing. When I pressed "Secure
MIME Part" -> "S/MIME Sign Part" it automatically added the 'keyfile'
parameter, because my smime-keys variable says:
'(smime-keys (quote (("simon@josefsson.org" "~/certs/jas.key+cert" nil)
("jas@extundo.com" "~/cacert.user.key" ("~/cacert.crt")) ("sj@extundo.com"
"~/certs/sj.key+cert" nil))))
Can you try if
<#!secure method=smime mode=sign keyfile="foo">
works? If so, perhaps you can locate the code that add the keyfile
parameter to the MIME part tags, and add it to the full-message MML
tag code.