From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Baptiste <bateast@bat.fr.eu.org>, notmuch@notmuchmail.org
Subject: Re: Smime signature verification in Notmuch - Emacs
Date: Fri, 14 Mar 2014 11:14:52 -0400 [thread overview]
Message-ID: <53231CEC.6070101@fifthhorseman.net> (raw)
In-Reply-To: <87siqlrqq8.fsf@bat.fr.eu.org>
[-- Attachment #1: Type: text/plain, Size: 2129 bytes --]
Hi Baptiste--
On 03/14/2014 06:58 AM, Baptiste wrote:
> firstly, sorry for my previous mail, you are right, it was broken. This one
> should be better.
i didn't mean to imply it was broken at all. i haven't tested it :)
> Truly, it would be better to implement it directly in notmuch core.
i agree with this.
> Signature verification just present a line with the signature owner and the
> trust chain status (/green/ for good verification, /orange/ for self signed only
> signature). No verification is made today against :From field.
what does "good verification" mean? This seems to imply that there is a
trusted root store used. how does the user configure this trust store?
what about non-self-signed and unvalidated certificates? (e.g. certs by
unknown issuers, certs by known but untrusted issuers, certs with
unknown signature algorithms, certs without proper EKUs for creating
S/MIME signatures, etc.)
> (green) [ Good signature by: bateast@bat.fr.eu.org - 08F4ED ]
> (orange) [ Good signature by key: 0x08F4ED self signed for bateast@bat.fr.eu.org ]
the use of 08F4ED here is a bit confusing. i see from further below
that this refers to the serial number of the cert; but serial numbers
are not guaranteed to be unique (they are supposed to be unique across
issuers, but most root trust stores (and X.509 chains) can accept
certifications from different issuers). what does displaying this
information do for the user?
> My opinion is that S/MIME is more and more widely used today, and then relying
> only on gpg for signature or encryption is a bit rough.
I agree that S/MIME support would be nice; i think implementing it in
the notmuch core is the way to go. fwiw, gmime already has a
cryptocontext that is supposed to handle S/MIME; it just needs proper
integration, similar to the PGP/MIME integration in notmuch core:
https://developer.gnome.org/gmime/stable/GMimePkcs7Context.html
This has been on my plate for, uh, over a year now, but clearly i
haven't gotten to it, and would be happy if someone else wanted to pick
it up.
--dkg
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 1010 bytes --]
next prev parent reply other threads:[~2014-03-14 15:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-03 17:29 Smime signature verification in Notmuch - Emacs Baptiste
2014-03-11 18:03 ` Daniel Kahn Gillmor
2014-03-14 10:58 ` Baptiste
2014-03-14 15:14 ` Daniel Kahn Gillmor [this message]
2014-03-14 18:08 ` David Bremner
2014-03-14 18:12 ` Daniel Kahn Gillmor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53231CEC.6070101@fifthhorseman.net \
--to=dkg@fifthhorseman.net \
--cc=bateast@bat.fr.eu.org \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).