Re: any documentation for S/MIME setup for mutt? (Re: OT: Checking S/MIME signatures)
On Thu, Dec 04, 2003 at 12:36:23AM +0100, Robert Joop wrote:
> On 03-11-25 17:53:00 CET, Christoph Ludwig wrote:
> > On Tue, Nov 25, 2003 at 01:05:24PM +0100, Robert Joop wrote:
> > > > PS: I am going to sign this posting. You probably don't have our root
> > > > CA's public key installed whence the verification will fail. But
> > > > at least you should see an error message like "unable to get local
> > > > issuer certificate".
> > >
> > > no, actually i get
> > >
> > > Verification failure
> > > 16485:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify
> > > error:pk7_smime.c:222:Verify error:self signed certificate in certificate
> > > chain
> > >
> >
> > I forgot that in my .muttrc smime_sign_command is set such that the
> > whole certificate chain is attached, not only my own
> > certificate. That explains the different error message.
> >
> > Sorry if I caused any confusion.
>
> no, i think the above error message causes confusion.
> self signed certificates are usually (root) CA certificates (X.509v3
> basic contraints' CA:true), so the error message shouldn't be that
> there's a self signed cert, but that the root CA's cert ain't in the
> user's trusted list.
I consider the message about the self signed certificate at least as
self explanatory as the one about the missing issuer
certificate... Seriously, even an application like mutt with mostly
technically adept users should try to translate openssl's error codes
into more application specific messages, IMO. The messages should not
require you to understand the internals of openssl. We cannot expect
everyone to be a PKI expert.
I see some other issues with mutt's openssl interface as well. But I
could not spare the time yet for developing a patch.
> unless of course your cert chain is rather unusual and misled openssl to
> this misleading error message... :-)
> but no, your CA cert has this flag, the key usage attribute looks ok,
> only the 'netscape cert type' 'SSL CA' makes me wonder.
> but mutt is no netscape application and the attribute is not marked
> critical, so that should do no harm.
The Netscape certificate extensions are documented at
http://wp.netscape.com/eng/security/comm4-cert-exts.html.
> > > does anybody know about any documentation of how to set this up, i mean
> > > the whole S/MIME stuff for mutt?
> >
> > In mutt's CVS is a file doc/smime-notes.txt that describes the setup
> > step by step. I assume it is also contained in the current
> > distribution.
>
> perhaps in the source distribution, but it doesn't come with the debian
> packages, /usr/share/doc/mutt/ contains a lot but not this file.
> i guess i should file a request for enhancement with debian...
>
> > Do you have any specific questions?
>
> yes, where is the cvs repository? :-)
CVSROOT=':pserver:anonymous@xxxxxxxxxxxx:/home/roessler/cvs'
The password was either 'anonymous' or empty, I don't remember right
know.
> i got myself the whole
> ftp://ftp.mutt.org/%2fmutt/devel/mutt-1.5.5.1i.tar.gz tarball...
>
> ok, the file is there.
>
> btw, where does smime_keys usually get installed?
> on debian, it looks like a command that is not to be used by a normal
> user, at least not directly:
>
> rj:~$ smime_keys init
> bash: smime_keys: command not found
> rj:~$ locate !:0
> locate smime_keys
> /usr/lib/mutt/smime_keys
> rj:~$
>
> debian problem, or more general?
That seems debian specific. On my system, smime_keys was installed
alongside mutt in PREFIX/bin (where PREFIX is the path specified with
the configure option --prefix).
smime_keys needs to be called by a normal user since it creates a
user specific directory tree beneath ~/.smime that contains the keys
and certificates. Even a "normal user" does not want to share the
private keys...
Regards
Christoph
--
http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/cludwig.html
LiDIA: http://www.informatik.tu-darmstadt.de/TI/LiDIA/Welcome.html