GNU bug report logs -
#67931
[PATCH] Use S/MIME key from content for mail signing via OpenSSL
Previous Next
Reported by: Illia Ostapyshyn <illia <at> yshyn.com>
Date: Wed, 20 Dec 2023 13:59:01 UTC
Severity: normal
Tags: patch
Done: Eric Abrahamsen <eric <at> ericabrahamsen.net>
Bug is archived. No further changes may be made.
Full log
Message #32 received at 67931 <at> debbugs.gnu.org (full text, mbox):
Eric Abrahamsen <eric <at> ericabrahamsen.net> writes:
> The patch seems to work as intended -- I won't claim to know enough
> about SMIME to know if it does the right thing or not. Can you briefly
> explain what the additional certificates actually do, and why they're
> useful in signing but not in encryption?
End-user SMIME certificates are signed by the (intermediate) CAs that
issued them. The issuer's certificate can be in turn signed by another
CA up the hierarchy, resulting in a chain that ends with the implicitly
trusted root authority. When signing a message, you can include the
intermediate CA certificates, allowing the recipient to verify the whole
chain. With openssl, this is done via the -certfile argument [1]:
-certfile file
Allows additional certificates to be specified. When signing these
will be included with the message. When verifying these will be
searched for the signers certificates. ...
Encryption is orthogonal to this: it only uses the public keys of your
recipients from their certificates, the chain is irrelevant.
The MML tag parameter names are a bit unfortunate here: the new
`chainfile' parameter translates to "-cerfile" arguments and the
existing `certfile' parameters translate to positional "recipcert"
arguments of openssl [1].
[1] https://www.openssl.org/docs/manmaster/man1/openssl-smime.html
This bug report was last modified 1 year and 100 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.