From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id KLcyOeThrmDkJgAAgWs5BA (envelope-from ) for ; Thu, 27 May 2021 02:03:48 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id GNzqNOThrmBEHgAAB5/wlQ (envelope-from ) for ; Thu, 27 May 2021 00:03:48 +0000 Received: from mail.notmuchmail.org (nmbug.tethera.net [IPv6:2607:5300:201:3100::1657]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BC2101492F for ; Thu, 27 May 2021 02:03:44 +0200 (CEST) Received: from nmbug.tethera.net (localhost [127.0.0.1]) by mail.notmuchmail.org (Postfix) with ESMTP id 49404271E0; Wed, 26 May 2021 20:03:39 -0400 (EDT) X-Greylist: delayed 515 seconds by postgrey-1.36 at nmbug; Wed, 26 May 2021 20:03:14 EDT Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) by mail.notmuchmail.org (Postfix) with ESMTPS id 8D832271D6 for ; Wed, 26 May 2021 20:03:14 -0400 (EDT) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1622073276; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=az+P22D95RpqYAo1WM7Karum6DFl8CmPvmF5Bq1mur0=; b=iY/QViYcarVxiKVEQYUT/LzjUWmILPWlZ5S8uYuRjFpnG+dBvZm4QA8nzafPB+ihVf0fo X/KlLc9pyyxCiAXBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1622073276; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=az+P22D95RpqYAo1WM7Karum6DFl8CmPvmF5Bq1mur0=; b=2kd5Q7oMa6DKTpA3PCksIOGCwY97ZOHeyGQGkJjnclyC1NDxM0co1s84QNx0rp7nmJe7x ooVUFgBOQ1MfQDvrmavIf8+aPensMt2NMl6dEMJED8kRagv8nkOE2MMPUvmPFSF4DnVsjfr 0dSu8JBTa6n6a/XB5mLRE/WXKl87an3trVZvGhzkdU29PuEt8pb5Y97fxFT5En29HjHuPLi I9FiYw9o57rfPM7L4CtMo+YROvVng6ZC7e5q22wCAqWBOV91+U6TZ2fiUsy0AID4qu2H6vx e2DK0JZZl6vwCrSzMvbN0sBPrlBFI24I/VMIOjMsnAAbUiNUuGi1WVubmy0A== Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id DC2F8F9A8 for ; Wed, 26 May 2021 19:54:36 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id 592F9218D2; Wed, 26 May 2021 19:32:11 -0400 (EDT) From: Daniel Kahn Gillmor To: Notmuch Mail Subject: difficulty in rendering S/MIME signature status from some certificates Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH Date: Wed, 26 May 2021 19:32:10 -0400 Message-ID: <878s41ax6t.fsf@fifthhorseman.net> MIME-Version: 1.0 Message-ID-Hash: WCAOAFLUUZAAOFVBGTOXW4LM2Q57KOPA X-Message-ID-Hash: WCAOAFLUUZAAOFVBGTOXW4LM2Q57KOPA X-MailFrom: dkg@fifthhorseman.net X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-notmuch.notmuchmail.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.1 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: multipart/mixed; boundary="===============5024989230926470028==" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1622073828; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type:list-id: list-help:list-unsubscribe:list-subscribe:list-post:dkim-signature:autocrypt:autocrypt; bh=GYK8rauP5f40KYzC57Uqo8g4bcgficrliCUFHFB80vk=; b=i1ZtlhVu6I3FyePjKfw3KWa+mVoISb2DfNQUfn8WxrF3mXYQsz6Ti06LOka59LSzCAiCA1 sv1lR4NdeSx701LVLCoWboe0GBkisXz639EHrh0stm2/VNHYpce5ZdLutQvvFs31ehECzf aY0jZF4SStkxH6uWHZnLoCcb4HKGCbaBBofqn4ftPa9oPp5NuDk+SoG/qZCi1BRKE/qHcb osfMplrG+t8KXpiA3k2h1C/1akDnwGoBZjUBvFRQS/P3IkQFqD/qbpIS3tI1bzfBSDGATw Kv3gKf3xvvQ+dDqoD+MUOOiTq7Vxk+m/dCOGcv6ZxQsndFRgurFkpKw8H1e95A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622073828; a=rsa-sha256; cv=none; b=sUg1IYHVwIpeHup9Etx/mG+hH4WymmdUcg+46uxOcm3QXt+lIzASH820cEptNt1jKkEGbw 1s6Gqie120UaWRclSMkdK6sf7txrcCe9WggIlc4NzcoghwE1Jx7YFUakPST9bfjEOS6ygb 4YUhW/hB17wL7tP1pPAjVJzXxoxNTjiKLc9ynvWCoyvZoYqU4A+Uh+7qeo/dGC8FAkuk/m LvgQwLI2nHWO+HDwykaaFm+rWhc06G7qEodjziJhCpT2/+B+3e15h9yAkOm2C6tgHXXIM6 DbRDjVgwZ5dIxb8G65LbSjbUB+prbV3L4gpOikjIgEG+9Xx3xv6qHjKpkWSlOg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=fifthhorseman.net header.s=2019 header.b="iY/QViYc"; dkim=fail ("body hash did not verify") header.d=fifthhorseman.net header.s=2019rsa header.b=2kd5Q7oM; dmarc=fail reason="SPF not aligned (relaxed)" header.from=fifthhorseman.net (policy=none); spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 2607:5300:201:3100::1657 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Migadu-Spam-Score: -1.45 Authentication-Results: aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=fifthhorseman.net header.s=2019 header.b="iY/QViYc"; dkim=fail ("body hash did not verify") header.d=fifthhorseman.net header.s=2019rsa header.b=2kd5Q7oM; dmarc=fail reason="SPF not aligned (relaxed)" header.from=fifthhorseman.net (policy=none); spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 2607:5300:201:3100::1657 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Migadu-Queue-Id: BC2101492F X-Spam-Score: -1.45 X-Migadu-Scanner: scn1.migadu.com X-TUID: hj5NxRy3NJLz --===============5024989230926470028== Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi folks-- id:e4a7efe92433f7c3e5dedeac0ea4efc003020296.camel@ericsson.com from the IETF LAMPS WG mailing list can be found at=20 https://mailarchive.ietf.org/arch/msg/quic/FpbJTLXsoFLSNr--LgxCOC6IssY. when rendering it, notmuch-emacs shows: [ Good signature by: 1.2.840.113549.1.9.1=3D#6D61676E75732E77657374657= 26C756E64406572696373736F6E2E636F6D,CN=3DMagnus Westerlund,O=3DEricsson ] 1.2.840.113549.1.9.1 is the OID for emailAddress in distinguished names. This field which is deprecated according to https://www.oid-info.com/get/1.2.840.113549.1.9.1 and =C2=A75.2.1 of https://datatracker.ietf.org/doc/html/rfc2985#page-7, but it is still very much in use as evidenced by the message's X.509 certificate, which was issued less than a year ago (in 2020-12-11) with a 3-year validity window. I wanted this to make this visible in notmuch as the more legible form "EMAIL=3Dmagnus.westerlund@ericsson.com,CN=3DMagnus Westerlund,O=3DEricsson= ". i tracked it down to a constraint in libksba's parsing code, and reported it to GnuPG (libksba's upstream) here: https://dev.gnupg.org/T5450 and the fix was rejected. I don't think that notmuch should try to contain any string-to-DN parsing code, and notmuch's use of gmime here is basically a passthrough from gpgme, so i'm a bit stuck. It occurs to me that maybe notmuch should be identifying the e-mail address (and only the e-mail address?) instead of the other elements of the user ID, which are more dubious than the e-mail address anyway. It seems possible to do this by using the g_mime_certificate's email field in preference to the g_mime_certificate's user_id field, at least for this particular certificate, because it contains a subjectAltName of type rfc822name that is just the e-mail address. I see a couple different options available to do this: a) add an "email?" field to the "signature" object in devel/schemata, and then teach notmuch-emacs to render that instead of the userid field in cases where it's present. b) replace the content of the userid field in the "signature" object with the e-mail address entirely. I'm leaning toward (a), though it requires fiddling in more places. At the very least, the first step of (a) doesn't seem objectionable. (note: GMimeCertificate's email field itself is of somewhat dubious provenance, and i'm trying to clean that up at https://github.com/jstedfast/gmime/pull/102) What do folks think? --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQttUkcnfDcj0MoY88+nXFzcd5WXAUCYK7aegAKCRA+nXFzcd5W XJx4AP98c2ld184+8pFsjKvFKClXBmPgB+HfEOdYJxEqiT7ERwD+ITgj/Exfhser 0YHx4Ib+EKsIwAXfo9WMFg6eCOv/HAU= =xc7X -----END PGP SIGNATURE----- --=-=-=-- --===============5024989230926470028== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============5024989230926470028==--