[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Verifying signed mail in Gnus
|
From: |
Uwe Brauer |
|
Subject: |
Re: Verifying signed mail in Gnus |
|
Date: |
Mon, 31 Oct 2022 20:53:39 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) |
>>> "AdV" == Angel de Vicente <angel.vicente.garrido@gmail.com> writes:
> Hello,
> Akib Azmain Turja <akib@disroot.org> writes:
>> Angel de Vicente <angel.vicente.garrido@gmail.com> writes:
>>> but now I got an e-mail from someone using S/MIME, and despite reading
>>> that GnuPG should be able to handle S/MIME certificates, I'm not sure
>>> how to do it. Is there something similar to `epa-search-keys` but for
>>> certificates? I guess since we are dealing with certificates here, I
>>> don't need to get the individual certificate of this person, but just
>>> the certificate for the Certification Authority, but how to find the
>>> certificate, and how to do the equivalent of the signing above, so trust
>>> will go from "undefined" to "full"?
> This part I found how to do. Basically Gnus+GnuPG already imported the
> certificate for me, which I could verify by doing "gpgsm -k", and then I
> just had to set the root CA as trustworthy in the file
> "~/.gnupg/trustlist.txt"
> With that, I now get (trust full) for this person.
> ,----
> | [[S/MIME Signed Part:Good signature from
> | DD733F6DFA9EBA0303F699xxxxxxxxxxxxxxxxxx /CN=xxxxx xxxxxx xxxxxx
> | xxxxxxxx/O=Instituto de Astrofisica de Canarias/STREET=Calle Vía
> | Láctea, s\x2fn/ST=Santa Cruz de Tenerife/C=ES (trust full)]]
> `----
> Actually, it looks like S/MIME is much more convenient than GPG, since I
> only have to deal with giving trust to the root CA, and then all
> certificates given by that CA will have full trust immediately? Maybe
> when digital certificates were not so common, PGP/MIME was a better
> option, but now it looks like S/MIME should be easier for
> key/certificates management? (I have one day of experience with this, so
> don't take my word for it :-) )
>> How did you make Gnus display those nice messages? My Gnus doesn't do
>> that (but ask me for password for decrypting mails).
SMIME and (g)gpg are basically orthogonal to each other in some aspects
although the rely on asymmetric encryption
I started to use (g)pgp and then switched to SMIME, because
1. The public key interchange is so much simpler (but see below
risks), since the public key is always embedded in your signature
2. SMIME support is basically shipped in most MTA, moreover the key
generation is also much simpler for newbies.
3. IF you have the all the relevant CAs installed (which might not
always be the case), the authentification is done automatically,
for GNU/Linux for example by the ggpsm program which is used
usually by emacs.
4. Some government agencies already provide SMIME keys for their
residents, for example Spain.
The downside and disadvantages of SMIME is its hierarchical structure,
which makes it very convenient, however: once a root CA is
compromised, the whole security breaks down, that is not the case for
PGP since there you rely on a web of trust/
Uwe Brauer
smime.p7s
Description: S/MIME cryptographic signature