Proposed patch for libksba: make SMIMECapabilities parameter encoding conform to RFC

Werner Koch wk at
Thu Feb 21 11:10:41 CET 2008

On Thu, 21 Feb 2008 08:45, stvdo at said:

> there are a lot of complaints around concerning interoperability of S/MIME encrypted Mails between Thunderbird (using its own S/MIME Library) and KMail (using gpgsm), see, e.g.

Which is mostly a problem of Mozilla not doing what everyone else does.
We actually had to add the SMIME capability EA to convince an older
version not use use 40 bit encryption.  Now it seems again to be pitty.
I still consider it very very questionable to fallback to insecure
algorithms based on missing preference.  No security application should
ever do that!!.

> When exchanging signed/encrypted Mails between KMail and Thunderbird,
> Thunderbird reads the SMIMECapabilities section, but refuses to accept
> any algorithms for which the parameter encoding is not strictly
> conform to the RFC. Thunderbird in that case falls back to RC2/40

Thanks for tracking the problem down.

> At I have filed a

You should use

> possible patch for libksba which corrects the encoding of absent
> parameters in SMIMECapabilities. However, I don't know whether the bug
> tracker is actively monitored and by whom. So I'd like to announce the
> patch on this mailing list, too, and ask for a carefull review.

The patch is not correct as it would remove encoding of the NULL
parameter in all algorithmIdentifiers and not use with
smimeCapabilities.  rfc3280 does not have this requirement and the
original profile gpgsm has been written for suggtest to use NULL.  In
fact Mozilla is the only application with such a problem and all other
S/MIME applications interoperate just fine with gpgsm.  Checkout the BSI
website on S/MIME interoperability.

Anyway, I changed that in the SVN and attach a patch which can be
applied to libksba 1.0.3.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: smimecap-fix.diff
URL: </pipermail/attachments/20080221/dadff8f4/attachment.txt>

More information about the Gnupg-devel mailing list