Behaviour of gpgsm / gpgme with multiple S/MIME certificates/keys per address (old/expired/about to expire and new)

Dr. Thomas Orgis thomas.orgis at uni-hamburg.de
Fri Jun 9 14:17:24 CEST 2017


Hi,

I recently got into trouble with S/MIME signing and encryption in
claws-mail, which uses gpgme. My old (first) S/MIME certificate is
about to expire, so I got a new one. I added the new one to gpgsm's
keystore. But after that, claws-mail as well as gpgsm complain about
the keys being ambiguous. Clearly, the call

	gpgsm -u user at example.com

aborts because it cannot decide which of the two certificates to use.
It works when I specify a definite key ID (fingerprint) for -u or just
fix the default one. But what if I have multiple mail addresses, each
with old and new keys lying around?

Is there a way to tell gnupg to prefer a certain key for a given
mail address? While I can fix a key ID in claws-mail, too, this
currently breaks altenating usage of S/MIME and PGP, as currently there
is only one configuration field for the key ID to use for both
(hopefully that will change soon).

With the GPG/PGP part, I revoke my old key and all seems fine. I
somehow fail to see the equivalent mechanism for S/MIME.

I even checked the expiration process, advancing my system clock past
the expiration date of the old certificate. Even then, gpgsm complained
about ambiguous keys. Wouldn't it be sensible to

a) always use the newest S/MIME key with non-expired certificate and
b) discard the ones that are expired by default?

This issue even extended to antoher installation of gnupg/claws-mail
suddenly refusing to use the old key, although I did not yet add the
new secret key to it. They just picked up on the new certificate being
published and hence also consider the keys ambiguous (even if there is
only one secret key).

Any pointers? I wonder if I am doing something basic wrong, as regular
expiration of S/MIME certificates is the norm, isn't it? Doesn't anyone
else have issues with the accumulating number of old certificates?

(I am using GnuPG 2.1.21, gpgme 1.9.0., btw.)


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
Universität Hamburg
RRZ / Basis-Infrastruktur / HPC
Schlüterstr. 70
20146 Hamburg
Tel.: 040/42838 8826
Fax: 040/428 38 6270
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4967 bytes
Desc: not available
URL: </pipermail/attachments/20170609/a6e88013/attachment.bin>


More information about the Gnupg-users mailing list