From: Thomas Roessler Date: Mon, 28 Jan 2002 19:59:03 +0000 (+0000) Subject: Add more information on S/MIME. Adapted from Oliver Ehli's notes by X-Git-Tag: mutt-1-5-1-rel~116 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=51b5de75115245f2de654644ba3298e52de1a50e;p=mutt Add more information on S/MIME. Adapted from Oliver Ehli's notes by Mike Schiraldi. --- diff --git a/doc/smime-notes.txt b/doc/smime-notes.txt index 35706859..14fc25a3 100644 --- a/doc/smime-notes.txt +++ b/doc/smime-notes.txt @@ -37,3 +37,54 @@ smime_sign_as line, replacing the keyid with your own. - You probably want to import the trusted roots in contrib/ca-bundle.crt. Use "smime_keys.pl add_root" to do so. That makes you trust anything that was ultimately signed by one of them. + + + +Other notes + +Key management is done in a way similar to OpenSSL's CA directory. Private +keys and certificates are stored in different directories, as OpenSSL +expects either to be supplied in a (distinct) file. Each directory contains +an unsorted file named '.index' wherin each line has several fields: +mailbox, keyid, label, id of the intermediate certificate and keyflags. + + * Keyid is a hashvalue derived from the subject field of a certificate + and supplied by OpenSSL. + + * The mailbox address is derived from either From or Sender field of the + message, and matched with the email field of the certificate. Non + matching address pairs get rejected, as get certificates not + containing a mailbox address at all. (These are security issues, that + perhaps should be configurable.) + + * Label is set by the perl script (it will ask you to supply one), when + you add your keypair to the database. So are the remaining two fields. + + * keyflags are set with certificate verification option of the perl + script. It may take as value one of the following: i: invalid + (verification failed), r: revoked, e: expired, u: unverified, v: + successfully verified and finally t: trusted, in case it was + successfully verified and you chose to trust the certificate (the + script will ask you). Mutt will not use invalid, revoked or expired + certificates for signing or encryption. It will ask for confirmation + before using unverified certificates, and finally it will issue a + warning before using successfully verified but untrusted certificates. + +The purpose fields of a certificate do not get verified yet, also there is +no real check if the given file is a certificate at all. + +Key retrieval is done obviously by searching the index file for a given +mailbox. If none is found, the user is presented a list of available keys +and asked to select one of those. + +The certificate and key directories specified in muttrc have to exist. Mutt +will not create them. If you wish to sign messages yourself, note that this +mutt does not address any PKCS10 or PKCS12 issues (yet?); that is, you have +to get a valid certficate outside of mutt. (See above) + + + +A certificate can be viewed by adding the following to your ~/.mailcap: + +application/x-pkcs7-signature;openssl pkcs7 -in %s -inform der -noout \ +-print_certs -text | less; needsterminal