Rhialto wrote in
<ZSMXfdvUp1bzJbSA%falu.nl@localhost>:
|On Sun 08 Oct 2023 at 16:04:20 +0000, Taylor R Campbell wrote:
|> As far as I'm aware, S/MIME is only ever seriously deployed within a
|> single organization at a time (or a closed set of partnering
|> organizations). So I don't expect anything about it to seriously work
|> out of the box and I have no idea what public CAs do about it.
|
|mail/mutt supports S/MIME signing at least out of its box, but by
|default it uses its own management program `smime_keys` to manage the
|keys, stored in ~/.smime. That's the closest I know of.
The MUA i maintain can also S/MIME via the pretty easy usable
OpenSSL API (aka native not via command line tools). It will be
easier to auto-save and auto-encrypt S/MIME with the next release
(also via a dedicated certificate folder).
|Sometimes I receive a mail signed with S/MIME from some mailing list but
|I don't think that mutt ever told me that the signature matched (due to
|the certificates not being set up).
The PGP community started sending their "certificates" aka public
keys in an attached way, protected by the signed envelope. Ie you
can save the attachment and, with that, verify the email. Ie
after they all cancelled their key server (also Universities and
such) following that "toxic waste attack", and the keyserver pool
dried out, you can do WKD (which is not really easy to setup as it
"documented somewhere", and requires special handling, for example
what i called
RFC 6189: ZRTP specific base32 (RFC 4648); and see
human-oriented-base-32-encoding.txt (hihi)
(laughter and what they think is human-oriented that is), as well
as, of course, your own domain and webserver storage, and there
is not much aside from that, IETF standardized an ACME Let's
Encrypt thing for S/MIME, but i bet that will never truly make it,
and i bet again i will not loose that bid, but am not in a fever
on that either.
DKIM is cool, but they would need to allow mailing-lists and such
to store the modified things away to a known place, and verifiers
would need to support restoring that along the chain / stack of
things, and then user interfaces would have to adopt and show
hints on all that. (What _will_ happen is that they automatize
and inject tons of ARC and such s..t no matter what. And i will
not use DMARC or ARC until that messed system will not work
without it no more.)
DKIM of course "protects" the domain, not a human sender.
I like S/MIME. In fact i would have hoped OpenSSL providing tools
to (detach) sign and verify files, as anything is there to create
and verify signatures. Like this all use cases for PGP would have
vanished from my point of view. I mean, OpenSSL uses standardized
algorithms, and standardized file formats (CMS, X509).
What i like better with PGP is the MIME approach (i have forgotten
about RFC 1847, 2015, 3156 for now). But, ideally, users do not
have to deal with that anyway, as the user interface abstracts it,
so then it does not matter.
Anyhow PGP support the MUA i maintain will not get before the big
MIME rewrite, then it will come via external tools.
Unfortunately NetPGP was not funded to death, it was such a small
forgiving thing. It is understandable that someone forked the
code, but that thing (the name of which i have forgotten, too),
last i looked, was really much more potent, but used languages and
dependencies that deterred me. (Maybe timelines wrong, but C++ is
now in every base system that i practically use, shall it have
been that, one problem vanished. Anyhow, it is all too big.)
Well so for me S/MIME will then just be setting a variable, and
the hook should catch it and act accordingly:
define on-compose-leave {
...
\if -N smime-sign && -N _smime-sign-cert
\local vput fop _smime-sign-cert expand "$_smime-sign-cert"
\if -r "$_smime-sign-cert"
\digmsg create -
\digmsg - attachment insert "$_smime-sign-cert"
\digmsg remove -
\en
\en
...
And i thought, since i wanted to write this saturday night, that
the special compose-mode digmsg object should spring into
existence automatically. Anyhow this is a long way to go, until
it will really rock.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Attachment:
steffen@sdaoden.eu.crt
Description: application/x509-ca-cert
Attachment:
smime.p7s
Description: S/MIME digital signature