From: Illia Ostapyshyn <illia@yshyn.com>
To: Eric Abrahamsen <eric@ericabrahamsen.net>
Cc: Eli Zaretskii <eliz@gnu.org>,
67931@debbugs.gnu.org, Illia Ostapyshyn <illia@yshyn.com>,
larsi@gnus.org, stefankangas@gmail.com
Subject: bug#67931: [PATCH] Use S/MIME key from content for mail signing via OpenSSL
Date: Wed, 08 May 2024 14:28:37 +0200 [thread overview]
Message-ID: <k8u34qs1o96.fsf@yshyn.com> (raw)
In-Reply-To: <87wmo5rq93.fsf@ericabrahamsen.net> (Eric Abrahamsen's message of "Tue, 07 May 2024 19:28:40 -0700")
Eric Abrahamsen <eric@ericabrahamsen.net> writes:
> The patch seems to work as intended -- I won't claim to know enough
> about SMIME to know if it does the right thing or not. Can you briefly
> explain what the additional certificates actually do, and why they're
> useful in signing but not in encryption?
End-user SMIME certificates are signed by the (intermediate) CAs that
issued them. The issuer's certificate can be in turn signed by another
CA up the hierarchy, resulting in a chain that ends with the implicitly
trusted root authority. When signing a message, you can include the
intermediate CA certificates, allowing the recipient to verify the whole
chain. With openssl, this is done via the -certfile argument [1]:
-certfile file
Allows additional certificates to be specified. When signing these
will be included with the message. When verifying these will be
searched for the signers certificates. ...
Encryption is orthogonal to this: it only uses the public keys of your
recipients from their certificates, the chain is irrelevant.
The MML tag parameter names are a bit unfortunate here: the new
`chainfile' parameter translates to "-cerfile" arguments and the
existing `certfile' parameters translate to positional "recipcert"
arguments of openssl [1].
[1] https://www.openssl.org/docs/manmaster/man1/openssl-smime.html
next prev parent reply other threads:[~2024-05-08 12:28 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-20 13:16 bug#67931: [PATCH] Use S/MIME key from content for mail signing via OpenSSL Illia Ostapyshyn
2024-01-11 21:05 ` Stefan Kangas
2024-05-06 18:43 ` Illia Ostapyshyn
2024-05-06 18:46 ` Illia Ostapyshyn
2024-05-07 12:35 ` Eli Zaretskii
2024-05-07 14:21 ` Illia Ostapyshyn
2024-05-08 2:05 ` Eric Abrahamsen
2024-05-08 2:20 ` Eric Abrahamsen
2024-05-08 2:28 ` Eric Abrahamsen
2024-05-08 12:28 ` Illia Ostapyshyn [this message]
2024-05-09 23:47 ` Eric Abrahamsen
2024-05-10 11:20 ` illia
2024-05-10 20:02 ` Eric Abrahamsen
2024-05-14 12:53 ` Illia Ostapyshyn
2024-05-14 14:45 ` Eric Abrahamsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=k8u34qs1o96.fsf@yshyn.com \
--to=illia@yshyn.com \
--cc=67931@debbugs.gnu.org \
--cc=eliz@gnu.org \
--cc=eric@ericabrahamsen.net \
--cc=larsi@gnus.org \
--cc=stefankangas@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).