[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
S/MIME with OpenSSL?
From: |
Jens Lechtenboerger |
Subject: |
S/MIME with OpenSSL? |
Date: |
Sun, 08 Nov 2015 17:15:02 +0100 |
User-agent: |
Gnus/5.130014 (Ma Gnus v0.14) Emacs/25.0.50 (gnu/linux) |
Hi there,
I plan to refactor the code used for GnuPG in the Message mode of
Emacs (Gnus) and started a discussion on the Gnus devel mailing list
ding. An open issue is the use of OpenSSL for S/MIME in Emacs,
which might be removed in the future. So if you use S/MIME via
OpenSSL, please let me know why.
I recommend that you use gpgsm instead of openssl for S/MIME as:
** Gpgsm manages certificates (storage, expiry, revocation).
Users need to perform those tasks manually with openssl.
** Openssl has bugs as documented in the BUGS section of man smime(1).
In particular: SMIMECapabilities are ignored, no revocation checking
is done on the signer's certificate.
** Advertised SMIMECapabilities include broken encryption algorithms.
With the precompiled openssl 1.0.1f on my system RC2 is advertised,
which should have been dropped since S/MIME 3.x, see:
https://tools.ietf.org/html/rfc5751#appendix-B
Currently, openssl is preferred over epg (gpgsm), via
(defcustom mml-smime-use (if (featurep 'epg) 'epg 'openssl))
in mml-smime.el. However, epg does not get loaded on its own even if it
is present. Thus, users need to set mml-smime-use or require epg in
their ~/.emacs, but the manual does not mention gpgsm at all.
I plan to change this to prefer epg by default (and to document and
recommend gpgsm).
What’s your opinion?
Best wishes
Jens
P.S. I’d like to clarify that I recommend OpenPGP, not S/MIME.
Still, S/MIME is better than plaintext.
- S/MIME with OpenSSL?,
Jens Lechtenboerger <=