difficulty in rendering S/MIME signature status from some certificates

Subject: difficulty in rendering S/MIME signature status from some certificates

Date: Wed, 26 May 2021 19:32:10 -0400

To: Notmuch Mail

Cc:

From: Daniel Kahn Gillmor


Hi folks--

id:e4a7efe92433f7c3e5dedeac0ea4efc003020296.camel@ericsson.com from the
IETF LAMPS WG mailing list <spasm@ietf.org> can be found at 
https://mailarchive.ietf.org/arch/msg/quic/FpbJTLXsoFLSNr--LgxCOC6IssY.
when rendering it, notmuch-emacs shows:

     [ Good signature by: 1.2.840.113549.1.9.1=#6D61676E75732E7765737465726C756E64406572696373736F6E2E636F6D,CN=Magnus Westerlund,O=Ericsson ]

1.2.840.113549.1.9.1 is the OID for emailAddress in distinguished names.
This field which is deprecated according to
https://www.oid-info.com/get/1.2.840.113549.1.9.1 and ยง5.2.1 of
https://datatracker.ietf.org/doc/html/rfc2985#page-7, but it is still
very much in use as evidenced by the message's X.509 certificate, which
was issued less than a year ago (in 2020-12-11) with a 3-year validity
window.

I wanted this to make this visible in notmuch as the more legible form
"EMAIL=magnus.westerlund@ericsson.com,CN=Magnus Westerlund,O=Ericsson".
i tracked it down to a constraint in libksba's parsing code, and
reported it to GnuPG (libksba's upstream) here:
https://dev.gnupg.org/T5450 and the fix was rejected.

I don't think that notmuch should try to contain any string-to-DN
parsing code, and notmuch's use of gmime here is basically a passthrough
from gpgme, so i'm a bit stuck.

It occurs to me that maybe notmuch should be identifying the e-mail
address (and only the e-mail address?) instead of the other elements of
the user ID, which are more dubious than the e-mail address anyway.

It seems possible to do this by using the g_mime_certificate's email
field in preference to the g_mime_certificate's user_id field, at least
for this particular certificate, because it contains a subjectAltName of
type rfc822name that is just the e-mail address.

I see a couple different options available to do this:

 a) add an "email?" field to the "signature" object in devel/schemata,
    and then teach notmuch-emacs to render that instead of the userid
    field in cases where it's present.

 b) replace the content of the userid field in the "signature" object
    with the e-mail address entirely.

I'm leaning toward (a), though it requires fiddling in more places.  At
the very least, the first step of (a) doesn't seem objectionable.

(note: GMimeCertificate's email field itself is of somewhat dubious
provenance, and i'm trying to clean that up at
https://github.com/jstedfast/gmime/pull/102)

What do folks think?

        --dkg
signature.asc (application/pgp-signature)
_______________________________________________
notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-leave@notmuchmail.org

Thread: