gpgsm and expired certificates

MFPA expires2013 at ymail.com
Thu Nov 7 00:29:05 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Wednesday 6 November 2013 at 11:42:49 AM, in
<mid:87txfpg3ie.fsf at gilgamesch.quim.ucm.es>, Uwe Brauer wrote:



> Well take for example iOs: using pgp is a sort of a
> nightmare.

So I have heard.



> The reasons why I think smime is easier to use for the
> average user are: smime is already installed in most
> MUA (so no additional software+plugin)

But all the hordes who use webmail are pretty-much still out of luck,
though. (With certain exceptions, such as hushmail.)



> keypairs are
> generated and signed  by the "trust center".

I don't know about the "trust centre." The Bat! gives me the choice
of its own internal implementation or Microsoft Crypto-API, which is
part of Windows. (The Bat! and Windows are closed-source proprietary
products that we probably shouldn't discuss too much on this list.)



> Public
> keys are automatically embedded in the signatures.

That is simpler and avoids the web-bug-like effect you have if you
choose to auto-retrieve OpenPGP keys from keyservers for new contacts.
But must waste a lot of bandwidth between regular correspondents.



> Aha I see you use the BAT, an email program I have not
> seen in use, for almost a decade.

I have used it myself for over nine years.



> Good and bad news.
> Gpgsm allowed my to use your public keys after having
> fireing up a series of questions, iOs also,

Good.



>  (if you
> don't mind I send you to test messages later privately)

I don't mind.



> However thunderbird refuses to use yoru public key
> claiming it cannot be trusted.

Fair enough. Using its internal implementation, The Bat! accepts
signatures from the S/MIME certificate I created last night (because I
added it to the trusted root CA address book) and does not accept your
S/MIME signature (because Comodo's root certificate is not in the
trusted root CA address book - but adding it would be just a few
clicks). MS Crypto-API is fine with Comodo's root cert, but says my
certificate has an invalid signature algorithm specified.

I just searched and found [1] about Thunderbird, which says you can
import a copy of other people's self-signed S/MIME certificate from a
".cer" file into your "Authorities" tab. So much for "being easier
because keys are automatically embedded in the signatures."


> So I am afraid  the
> issue is to  persuade the not only the people but also
> the software.

As I said, getting other people to persuade their MUA to accept it.

[1] <http://kb.mozillazine.org/Installing_an_SMIME_certificate>.


- --
Best regards

MFPA                    mailto:expires2013 at ymail.com

Courage is not the absence of fear, but the mastery of it.
-----BEGIN PGP SIGNATURE-----

iPQEAQEKAF4FAlJ60MxXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pfXkEALs5FK+Llmn4wqCq+GUO0+qJ+TjHyHoEFd2R
3RRCHLG1ZcwhP0tOAX9Xo5439N16M31x6FB5u6CglI4RNcMvHK/FwqE1Y6e0I3SR
WLqUiX0Oq+JMKQnRBW1DaIGGCIB4uqPQ6DwFKikcA4p4fUSoXpRaKJA7Sar4Sj32
6o35st6x
=AcqD
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list