[RCD] S/MIME encryption and signing plugin
vgo at stels.ru
Fri Jan 15 09:31:30 CET 2016
------ Исходное сообщение ------
От: "A.L.E.C" <alec �� alec.pl>
Кому: dev �� lists.roundcube.net
Отправлено: 14.01.2016 23:13:12
Тема: Re: [RCD] S/MIME encryption and signing plugin
>On 01/12/2016 03:15 PM, Владимир Горпенко wrote:
There was a question 2, I'd like to get answer on it too.
"2. If I correctly understood, the driver processes only a message body.
But it is also necessary to work with headers - to remove one, to add
others. How it is offered to be realized?"
>> 3. php openssl works with private keys and certificates. And the
>> receives only keys. Whether it is possible to build in this scheme
>> with certificates?
>Sorry, I don't have enough knowledge about S/MIME yet to provide help
If I correctly understand, keys of PGP is only keys.
The certificate contains, except a public key, a lot of other
information. This information not only is of interest to the recipient,
but also allows to check the certificate. The certificate is signed, and
in the certificate is specified with whom exactly it is signed.
I can specify the following features of work with certificates.
1. The certificate of the sender is often attached to the signed letter.
In that case for verification of the signature it is necessary to use
this certificate. Yes, openssl will make it automatically.
2. It is useful to be able to store this certificate in base. However it
is attached to the letter not as a standard attachment, at verification
of the signature php openssl will take it from the letter. Therefore for
saving of the certificate attached to the letter the main program needs
to provide possibility of getting of the taken certificates from the
driver. Or again to attach it to the letter already as a standard
attachment that isn't quite trivial.
3. Php openssl carries out independent verification of the certificate
in procedure of verification of the signature. I don't know precisely,
which check it carries out, but the power of attorney CA, signed the
certificate is checked. Check of integrity of the certificate, an
expiration date, whether the certificate is withdrawn are essentially
Respectively after openssl verification additional information which
needs to be told to the user will be received.
4. For check, whether the certificate is signed with the entrusted CA,
openssl demands additional information, namely certificates of the
entrusted CA. This information also has to be transferred to the driver
5. Part of information containing in the certificate it is necessary to
tell to the recipient of the letter. It is right both for a case of the
attached certificate, and for a case of the certificate received from
the RC base. The driver has to provide means for transfer of this
information to the main program.
>There's currently no option to attach a key to messages being sent.
It does openssl sign if it isn't forbidden specially.
>> 5. The certificate attached to the signed message can be invalid or
>> entrusted. For verification of the power of attorney of the
>> the base of the entrusted CA is necessary. It can be realized in the
>Well, probably some changes will be needed, but PGP keys can also be
>entrusted or invalid or expired, etc. Not all is implemented yet.
I meant another: openssl verify can recognize the certificate as
incorrect or not entrusted, and with this information it is necessary to
do something right after verification of the signature.
More information about the dev