gpgsm and expired certificates

MFPA expires2013 at
Thu Nov 7 00:29:05 CET 2013

Hash: SHA512


On Wednesday 6 November 2013 at 11:42:49 AM, in
<mid:87txfpg3ie.fsf at>, Uwe Brauer wrote:

> Well take for example iOs: using pgp is a sort of a
> nightmare.

So I have heard.

> The reasons why I think smime is easier to use for the
> average user are: smime is already installed in most
> MUA (so no additional software+plugin)

But all the hordes who use webmail are pretty-much still out of luck,
though. (With certain exceptions, such as hushmail.)

> keypairs are
> generated and signed  by the "trust center".

I don't know about the "trust centre." The Bat! gives me the choice
of its own internal implementation or Microsoft Crypto-API, which is
part of Windows. (The Bat! and Windows are closed-source proprietary
products that we probably shouldn't discuss too much on this list.)

> Public
> keys are automatically embedded in the signatures.

That is simpler and avoids the web-bug-like effect you have if you
choose to auto-retrieve OpenPGP keys from keyservers for new contacts.
But must waste a lot of bandwidth between regular correspondents.

> Aha I see you use the BAT, an email program I have not
> seen in use, for almost a decade.

I have used it myself for over nine years.

> Good and bad news.
> Gpgsm allowed my to use your public keys after having
> fireing up a series of questions, iOs also,


>  (if you
> don't mind I send you to test messages later privately)

I don't mind.

> However thunderbird refuses to use yoru public key
> claiming it cannot be trusted.

Fair enough. Using its internal implementation, The Bat! accepts
signatures from the S/MIME certificate I created last night (because I
added it to the trusted root CA address book) and does not accept your
S/MIME signature (because Comodo's root certificate is not in the
trusted root CA address book - but adding it would be just a few
clicks). MS Crypto-API is fine with Comodo's root cert, but says my
certificate has an invalid signature algorithm specified.

I just searched and found [1] about Thunderbird, which says you can
import a copy of other people's self-signed S/MIME certificate from a
".cer" file into your "Authorities" tab. So much for "being easier
because keys are automatically embedded in the signatures."

> So I am afraid  the
> issue is to  persuade the not only the people but also
> the software.

As I said, getting other people to persuade their MUA to accept it.

[1] <>.

- --
Best regards

MFPA                    mailto:expires2013 at

Courage is not the absence of fear, but the mastery of it.


More information about the Gnupg-users mailing list