[Aegypten] Bogus messages about certificates?

Jan-Oliver Wagner jan@intevation.de
Mon Sep 30 18:20:02 2002 

--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

On Sat, Sep 28, 2002 at 12:45:46PM +0200, Ingo Klöcker wrote:
> while checking the Aegypten stuff in KMail I noticed a few strange 
> messages and other stuff.

attached are some answers by Werner Koch.

> Furthermore when I use the PGP/MIME plugin I'm get all available 
> warnings:
> 
> First I'm told that the certificate I want to use for signing expired 
> 11958 days ago which is bullshit since my OpenPGP key doesn't expire at 
> all.

Ingo himself fixed this problem already. Thanks!

> Then I'm told that the root certificate I want to use for signing 
> expires in 10 days. Huh? In OpenPGP there is no root certificate.
> 
> Then I'm told that the CA certificate I want to use for signing expires 
> in 10 days. Huh? In OpenPGP there is also no CA certificate.

This is a buggy behaviour. We'll try to fix it.

Thanks

	Jan

-- 
Jan-Oliver Wagner               http://intevation.de/~jan/

Intevation GmbH	              	     http://intevation.de/
FreeGIS	                               http://freegis.org/

--cWoXeonUoKmBZSoM
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Return-Path: <aegypten-intern-admin@intevation.de>
Delivered-To: jan@mail.intevation.de
Received: from lists.intevation.de (intevation.de [131.173.30.110])
	by mail.intevation.de (Postfix) with ESMTP
	id A4E911B6BA; Mon, 30 Sep 2002 09:19:03 +0200 (CEST)
Received: from doto.intevation.de (localhost [127.0.0.1])
	by lists.intevation.de (Postfix) with ESMTP
	id 8351013AB3; Mon, 30 Sep 2002 09:19:03 +0200 (CEST)
Delivered-To: aegypten-intern@lists.intevation.de
Received: from mail.intevation.de (aktaia [212.95.126.10])
	by lists.intevation.de (Postfix) with ESMTP id CF67913948
	for <aegypten-intern@lists.intevation.de>; Mon, 30 Sep 2002 09:18:17 +0200 (CEST)
Received: from porta.u64.de (porta.u64.de [194.77.88.106])
	by mail.intevation.de (Postfix) with ESMTP id 40DA41B6BA
	for <aegypten-intern@intevation.de>; Mon, 30 Sep 2002 09:18:17 +0200 (CEST)
Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.32 #1 (Debian))
	id 17vw8Z-0001jh-00; Mon, 30 Sep 2002 10:42:43 +0200
Received: from wk by alberti.gnupg.de with local (Exim 3.35 #1 (Debian))
	id 17vulG-00051b-00; Mon, 30 Sep 2002 09:14:34 +0200
To: aegypten-intern@intevation.de
Subject: Re: [kloecker@kde.org: [Aegypten] Bogus messages about
 certificates?]
References: <20020928120701.GG27588@intevation.de>
From: Werner Koch <wk@gnupg.org>
Organisation: g10 Code GmbH
X-Request-PGP: finger://wk@g10code.com
X-PGP-KeyID: 621CC013
X-FSFE-Info: http://fsfeurope.org
In-Reply-To: <20020928120701.GG27588@intevation.de> (Bernhard Reiter's
 message of "Sat, 28 Sep 2002 14:07:01 +0200")
Message-ID: <87k7l4yn11.fsf@alberti.gnupg.de>
User-Agent: Gnus/5.090008 (Oort Gnus v0.08) Emacs/20.7
 (i386-debian-linux-gnu)
Mail-Followup-To: aegypten-intern@intevation.de
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Spam-Level: 
Sender: aegypten-intern-admin@intevation.de
Errors-To: aegypten-intern-admin@intevation.de
X-BeenThere: aegypten-intern@intevation.de
X-Mailman-Version: 2.0.13.local1
Precedence: bulk
List-Help: <mailto:aegypten-intern-request@intevation.de?subject=help>
List-Post: <mailto:aegypten-intern@intevation.de>
List-Subscribe: <https://intevation.de/mailman/listinfo/aegypten-intern>,
	<mailto:aegypten-intern-request@intevation.de?subject=subscribe>
List-Id: Internal Discussions of the Ägypten project. <aegypten-intern.intevation.de>
List-Unsubscribe: <https://intevation.de/mailman/listinfo/aegypten-intern>,
	<mailto:aegypten-intern-request@intevation.de?subject=unsubscribe>
List-Archive: <https://intevation.de/mailman/private/aegypten-intern/>
Date: Mon, 30 Sep 2002 09:06:18 +0200
X-Spam-Status: No, hits=-4.4 required=5.0 tests=IN_REP_TO version=2.20
X-Spam-Level: 

On Sat, 28 Sep 2002 14:07:01 +0200, Bernhard Reiter said:

> Needs a good answer.
> Some things are BUGS (some already known for a long time).
> Some crypto things about SPHINX need to be explained.

> From: Ingo Klöcker <kloecker@kde.org>
> Subject: [Aegypten] Bogus messages about certificates?
> To: kmail@kde.org, gpa-dev@gnupg.org

> But the signature on a message which was signed with a certificate that
> had not expired by the time the message was signed will always be valid
> (as long as the certificate isn't revoked).

No.  The signature is not valid after the expiration time of the
certificate.  The reason to use an expiration time is to make it
impossible for an attacker to issue a signature using a compromised
key belonging to an expired certificate.  The way a signature
verification should be handled in the workflow of an office is by
registering valid signed documents by other means.

The warning we display should mention that the certificate has been
valid at the *claimed* time the signature has been created but
nevertheless we can't know anything more. I think we agreed on
displaying it in green with that warning. 

> Is this also a Sphinx requirement that the certificate has to contain 
> the email address of the sender?

Yes.

> To check whether an email message really came from the sender one simply 
> checks the signature. The address in the From: header is completely 
> irrelevant. Of course, it might be worthwhile to warn the recipient 

No it isn't.  A MUA uses the From/Reply-To header for an reply.  This
can be used to trick the recipient into replying to the wrong person
and for example agreeing on a contract.

> when the sender's address isn't contained in the signing certificate. 
> But this certainly doesn't make the signature invalid.

No it is not invalid, but a note should be printed.

> Last but not least, I'm told that the certificate doesn't contain my 
> email address which is also wrong. This could be a problem with the 
> non-ASCII character in my user id.

> FYI, here is my "certificate":
> pub:u:1024:17:1A747E4530E0B9D8:971730462:::u:::scESC:
> uid:u::::::::Ingo Klöcker <ingo.kloecker@epost.de>:

Ah, Ingo got it right and did not use WIndows and PGP or GPA to create
his key ;-). The UIDs are utf-8 encoded.

> BTW, do we really have to call it certificate? In the OpenPGP world this 
> is usually called key instead of certificate.

Agreed, however certificate is more exact and so I don't see an urgent
reason to change it.


Salam-Shalom,

   Werner

p.s.
Feel free to forward.



_______________________________________________
Aegypten-intern mailing list
Aegypten-intern@intevation.de
https://intevation.de/mailman/listinfo/aegypten-intern

--cWoXeonUoKmBZSoM--