Page MenuHome GnuPG
Create Task
Maniphest T7945

GpgOL does not automatically switch protocol for not-compliant certificates
Closed, WontfixPublic
Actions

Description

The security confirmation dialog, checks for OpenPGP keys.
If no OpenPGP keys were found it should automatically try S/MIME.

Possibly include a preference for whether OpenPGP or S/MIME is checked first.

The original description was wrong, switching works in principle.
But now a case was pointed out where it doesn't work in GnuPGVS-Desktop versions:

If the sender has valid VS-conform certificates for OpenPGP and S/MIME and a recipient has a only a certificate for the protocol which is not the senders preferred one and the certificate is not VS-compliant, switching automatically away from the senders preferred protocol does not work.

How to reproduce (example for recipient has S/MIME):

  • Sender has: VS-compliant certificates for OpenPGP and S/MIME
  • Recipient has: no VS-compliant certificate, here RSA 2048 S/MIME certificate
  • Trying to send mail results in:

  • switching manually to S/MIME shows:

This might be unexpected, but we do not want to change this, as the recipients certificate is not VS-compliant.
The sender could want to import a VS-compliant OpenPGP certificate instead or switch to a compliant one with another mail address instead of using the not compliant S/MIME certificate.

Details

Version
vsd 3.3.3 and before

Event Timeline

alexk triaged this task as Normal priority.Fri, Nov 21, 2:27 PM
alexk created this task.
alexk updated the task description. (Show Details)Fri, Nov 21, 2:40 PM
ikloecker added a subscriber: ikloecker.Mon, Nov 24, 10:52 AM

This isn't a Kleopatra issue. I suppose this happens with Outlook. The security confirmation checks for the type of keys it's asked for. Either OpenPGP or S/MIME or unspecified.

The resolver.exe that's used by Outlook has options --protocol and --preferred-protocol. If --protocol is given then only results for this protocol are printed. --preferred-protocol sets the protocol that should be checked first. There's also the option --allowMixed, but I don't know if GpgOL can handle this (and very likely it's not desired).

ebo added a subscriber: ebo.EditedMon, Nov 24, 12:07 PM

Possibly include a preference for whether OpenPGP or S/MIME is checked first.

The preference option does already exist in GpgOL, it is "Prefer S/MIME". If not set (the default), then OpenPGP keys are preferred.

ebo renamed this task from Kleopatra: security confirmation should check for S/MIME keys to GpgOL should check for S/MIME keys, too.Mon, Nov 24, 12:10 PM
ebo edited projects, added gpgol; removed vsd34, kleopatra.
ebo added a comment.Mon, Nov 24, 2:29 PM

And meanwhile I have tested this a bit with VSD3.3.3 and in the case that the sender has a valid and *VS-compliant* key the automatic switching works.

It is possible that it may not work for S/MIME certificates with RSA 2048, but I'm lacking a vails test certificate at the moment

ebo moved this task from Backlog to Triage on the gpgol board.Mon, Nov 24, 2:42 PM

I wonder if we should better open a new ticket with all the relevant data when we get a report giving more information and set this one to invalid.

ebo claimed this task.Tue, Nov 25, 12:13 PM
ebo renamed this task from GpgOL should check for S/MIME keys, too to GpgOL does not automatically switch protocol for not-compliant certificates.Wed, Nov 26, 1:06 PM
ebo closed this task as Wontfix.
ebo updated the task description. (Show Details)
ebo added a project: vsd.
ebo set Version to vsd 3.3.3 and before.
ebo moved this task from Triage to Done on the gpgol board.
pl13 added a subscriber: pl13.Fri, Nov 28, 2:29 PM