From: Eric Abrahamsen <eric@ericabrahamsen.net>
To: Illia Ostapyshyn <illia@yshyn.com>
Cc: larsi@gnus.org, Eli Zaretskii <eliz@gnu.org>,
67931@debbugs.gnu.org, stefankangas@gmail.com
Subject: bug#67931: [PATCH] Use S/MIME key from content for mail signing via OpenSSL
Date: Thu, 09 May 2024 16:47:13 -0700 [thread overview]
Message-ID: <87fruqsg3i.fsf@ericabrahamsen.net> (raw)
In-Reply-To: <k8u34qs1o96.fsf@yshyn.com> (Illia Ostapyshyn's message of "Wed, 08 May 2024 14:28:37 +0200")
Illia Ostapyshyn <illia@yshyn.com> writes:
> Eric Abrahamsen <eric@ericabrahamsen.net> writes:
>
>> The patch seems to work as intended -- I won't claim to know enough
>> about SMIME to know if it does the right thing or not. Can you briefly
>> explain what the additional certificates actually do, and why they're
>> useful in signing but not in encryption?
>
> End-user SMIME certificates are signed by the (intermediate) CAs that
> issued them. The issuer's certificate can be in turn signed by another
> CA up the hierarchy, resulting in a chain that ends with the implicitly
> trusted root authority. When signing a message, you can include the
> intermediate CA certificates, allowing the recipient to verify the whole
> chain. With openssl, this is done via the -certfile argument [1]:
>
> -certfile file
> Allows additional certificates to be specified. When signing these
> will be included with the message. When verifying these will be
> searched for the signers certificates. ...
Thanks! So basically like TLS cert chaining.
> Encryption is orthogonal to this: it only uses the public keys of your
> recipients from their certificates, the chain is irrelevant.
I'm mostly trying to understand how broken this was, prior to this
patch. Obviously there was the hard-coding of the key, the original
issue. Has encryption been broken this whole time, too?
Encryption is a separate MML tag, right? And also a separate cert (the
recipient's, not the user's). Why would additional certificates on your
own certfile interfere with the process of encrypting to the user?
I'm not trying to be difficult, I'd just like to have a better grasp of
what's going on here!
> The MML tag parameter names are a bit unfortunate here: the new
> `chainfile' parameter translates to "-cerfile" arguments and the
> existing `certfile' parameters translate to positional "recipcert"
> arguments of openssl [1].
I'm not too concerned about that, the vast majority of the time this
process should be automatic.
Eric
next prev parent reply other threads:[~2024-05-09 23:47 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-20 13:16 bug#67931: [PATCH] Use S/MIME key from content for mail signing via OpenSSL Illia Ostapyshyn
2024-01-11 21:05 ` Stefan Kangas
2024-05-06 18:43 ` Illia Ostapyshyn
2024-05-06 18:46 ` Illia Ostapyshyn
2024-05-07 12:35 ` Eli Zaretskii
2024-05-07 14:21 ` Illia Ostapyshyn
2024-05-08 2:05 ` Eric Abrahamsen
2024-05-08 2:20 ` Eric Abrahamsen
2024-05-08 2:28 ` Eric Abrahamsen
2024-05-08 12:28 ` Illia Ostapyshyn
2024-05-09 23:47 ` Eric Abrahamsen [this message]
2024-05-10 11:20 ` illia
2024-05-10 20:02 ` Eric Abrahamsen
2024-05-14 12:53 ` Illia Ostapyshyn
2024-05-14 14:45 ` Eric Abrahamsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fruqsg3i.fsf@ericabrahamsen.net \
--to=eric@ericabrahamsen.net \
--cc=67931@debbugs.gnu.org \
--cc=eliz@gnu.org \
--cc=illia@yshyn.com \
--cc=larsi@gnus.org \
--cc=stefankangas@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.