Smime signature verification in Notmuch - Emacs
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Mar 14 08:14:52 PDT 2014
Hi Baptiste--
On 03/14/2014 06:58 AM, Baptiste wrote:
> firstly, sorry for my previous mail, you are right, it was broken. This one
> should be better.
i didn't mean to imply it was broken at all. i haven't tested it :)
> Truly, it would be better to implement it directly in notmuch core.
i agree with this.
> Signature verification just present a line with the signature owner and the
> trust chain status (/green/ for good verification, /orange/ for self signed only
> signature). No verification is made today against :From field.
what does "good verification" mean? This seems to imply that there is a
trusted root store used. how does the user configure this trust store?
what about non-self-signed and unvalidated certificates? (e.g. certs by
unknown issuers, certs by known but untrusted issuers, certs with
unknown signature algorithms, certs without proper EKUs for creating
S/MIME signatures, etc.)
> (green) [ Good signature by: bateast at bat.fr.eu.org - 08F4ED ]
> (orange) [ Good signature by key: 0x08F4ED self signed for bateast at bat.fr.eu.org ]
the use of 08F4ED here is a bit confusing. i see from further below
that this refers to the serial number of the cert; but serial numbers
are not guaranteed to be unique (they are supposed to be unique across
issuers, but most root trust stores (and X.509 chains) can accept
certifications from different issuers). what does displaying this
information do for the user?
> My opinion is that S/MIME is more and more widely used today, and then relying
> only on gpg for signature or encryption is a bit rough.
I agree that S/MIME support would be nice; i think implementing it in
the notmuch core is the way to go. fwiw, gmime already has a
cryptocontext that is supposed to handle S/MIME; it just needs proper
integration, similar to the PGP/MIME integration in notmuch core:
https://developer.gnome.org/gmime/stable/GMimePkcs7Context.html
This has been on my plate for, uh, over a year now, but clearly i
haven't gotten to it, and would be happy if someone else wanted to pick
it up.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20140314/0690f26d/attachment.pgp>
More information about the notmuch
mailing list