Closed
Bug 74157
Opened 24 years ago
Closed 2 years ago
[meta] S/MIME support
Categories
(MailNews Core :: Security: S/MIME, enhancement)
MailNews Core
Security: S/MIME
Tracking
(Not tracked)
RESOLVED
INACTIVE
People
(Reporter: jmdesp, Unassigned)
References
(Depends on 11 open bugs)
Details
(Keywords: meta)
There's some discussion around about the need of S/MIME support in
Mozilla/Netscpae 6, but no specific bug opened for that.
I know everyone in Netscape has many things to do for Mozilla, but S/MIME is
really important.
It's hard for me to imagine version 1.0 would ship without S/MIME.
SSL/TLS was a requirement for the navigator from the start.
Why is S/MIME so low in the order of priority comparatively ?
Well, at least this RFE will make clearly visible what level of importance
Netscape is giving to this.
Most of the bricks needed for S/MIME are there, NSS has all the component
required, the signing/encrypting UI is being created for the PGP plug-in.
BTW currently a signed mail where the signed content is included inside the
signature will generate the following display :
This is an ENCRYPTED message. Mozilla Mail does not support encrypted mail.
In that case, it's false, the message is signed, not encrypted, but the signed
content is not available separately from the signature.
Comment 1•24 years ago
|
||
Security:Crypto
Assignee: mstoltz → ddrinan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Product: MailNews → Browser
If I understand the Mozilla schedule, S/MIME will not be done in time to ship
1.0. We are, however, staffing up to take the existing S/MIME libraries in NSS
and reflect them in the mail client. Volunteers should contact lord@netscape.com.
Stay tuned to the mozilla.crypto newsgroup. We'll post there as we make progress.
Updated•24 years ago
|
Component: Security: Crypto → Client Library
Product: Browser → PSM
Version: other → 2.0
Updated•23 years ago
|
Blocks: advocacybugs
Comment 8•23 years ago
|
||
Since Netscape 4.x had this feature Mozilla 1.0 shouldn't be released without
S/MIME support. The people who need encrypted mail can't change to Mozilla
without S/MIME.
Comment 9•23 years ago
|
||
*** Bug 103030 has been marked as a duplicate of this bug. ***
Comment 10•23 years ago
|
||
*** Bug 63288 has been marked as a duplicate of this bug. ***
Comment 12•23 years ago
|
||
*** Bug 84213 has been marked as a duplicate of this bug. ***
Comment 13•23 years ago
|
||
We're starting the process to land the first cut at S/MIME support in the
Mozilla Mail client. This first cut will have close to no UI, but it will allow
you to send and receive signed and encrypted email. The first draft of the UI
specs will follow shortly after.
You should expect to see some progress in the next 2-3 weeks if all goes as planned.
Comment 14•23 years ago
|
||
Let us know how we can test it
Updated•23 years ago
|
Priority: -- → P1
Target Milestone: Future → 2.2
Comment 15•23 years ago
|
||
*** Bug 108548 has been marked as a duplicate of this bug. ***
Comment 16•23 years ago
|
||
*** Bug 108556 has been marked as a duplicate of this bug. ***
Comment 17•23 years ago
|
||
S/MIME seems to be in now... just to let those people know who wanted to know :)
Comment 18•23 years ago
|
||
I just downloaded the latest 11/13 build and it is not there. And even worse,
the security manager is gone! I cannot manage my certificates now.
Please explain how we are to access the S/MIME features?
Comment 19•23 years ago
|
||
I found out that MailNews now displays a message about verification of signed
S/MIME messages.
E.G.: I've recieved a signed message.
Here's a fragment of its Content type:
Content-Type: multipart/signed;
micalg=SHA1;
protocol="application/x-pkcs7-signature";
When I click to read it, i get a messagebox stating "This is a signed message
with a valid signature".
Are there any more goodies?
Comment 20•23 years ago
|
||
See bug 105526
Comment 21•23 years ago
|
||
Aha, all those new features are listed in attachment 54120 [details].
Comment 22•23 years ago
|
||
Is this support in the public trunk? I downloaded today's version for Linux, and
while there are options to sign and encrypt, they do nothing. They do not even
trigger the certificate selection process.
The 111303 windows (2k) version (Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:0.9.5+) Gecko/20011113) does not even have the security option in the mail
composition window. Am I missing something here?
Comment 23•23 years ago
|
||
you first select your cert under mail server options. The sign/encrypt options
will then work. -GA
Comment 24•23 years ago
|
||
The user interface is surely a lot worse than in Netscape.
I did all you said, and now the mail send fails, saying to check the mail server
settings.
Also, when I pop up the security options menu in the Linux compose window,
selecting any of the options does not seem to stick. There is no dot next to the
option when i click it and then come back to the menu.
Comment 25•23 years ago
|
||
"...and now the mail send fails, saying to check the mail server
settings."
reference:
http://bugzilla.mozilla.org/show_bug.cgi?id=108912
Comment 26•23 years ago
|
||
I tried today's linux build (SuSE 7.3 dual processor pentium pro) again. When I
turned off the sign mail box, it was able to send mail.
When I turned it back on and tried again, Mozilla crashed. Twice.
The feedback agent sent 2 reports ....
Comment 27•23 years ago
|
||
The final design is still being worked out. this is a daily build release that
will help us work out the bugs in the underlying crypto libraries. For the UI, see:
http://www.mozilla.org/mailnews/specs/security/
and
http://www.mozilla.org/mailnews/specs/security/Options.html
Comment 28•23 years ago
|
||
Please see also netscape.public.mozilla.crypto
Comment 29•23 years ago
|
||
I'm working in build 2001112806 on MacOS X (10.1.1) and if I have the option
selected to sign a message when it is being sent, I get an error saying "Sending
of message Failed. Please verify that your Mail & Newsgroups settings are
correct and try again."
If I disable the option to sign, mail sends just fine. I'll be glad to do more
testing if anyone wants me to try something.
Comment 30•23 years ago
|
||
OK, I kinda need to rescind that last report. The problem appears to be that
you get that error if you are trying to use a certificate that is not trusted
(in my case, the root CA was not installed).
But never the less, the error is still a bad one. I guess one needs to get an
error saying that there is a problem with the certificate that you are trying to
use to sign email.
Comment 31•23 years ago
|
||
Now that S/MIME Support was checked in and enabled, shouldn't this bug be closed?
Comment 32•23 years ago
|
||
If it is enabled, it surely does not work for me yet on yesterday's build.
There are at least "user interface" issues since it works like a charm for me on
Netscape 4.7x, but I cannot get a signed or encrypted message sent.
Perhaps a short tutorial posted here might solve this. I usually get an error
about a misconfiguration of the mail server.
Comment 33•23 years ago
|
||
A big problem with the S/MIME interface is that it does not allow you to select
the recipient's certificate. I for example have one certificate, but about 6
e-mail addresses. If a person wants to send me e-mail at other than the address
in the certificate, he is out of luck.
The option/security menu does not allow an encrypt and/or sign just this
message. In general, I do not want to encrypt or sign everything!
A poster here said S/MIME will not work unless all the CAs are "trusted." Well,
if the send fails because of this, a pop-up needs to be generated saying which
CA is the problem and also allowing the user to decide whether to trust it just
this once, or forever, and for what purposes.
Comment 34•23 years ago
|
||
My mail still fails to send if I check encryption or signature. And A lot of the
times, the buttons for these do not stick. I set them, and for the same message,
return to the security settings option, and they are unset again.
So if the encrypt option is set, the mail will not send, or else, it cannot be set.
Comment 35•23 years ago
|
||
I'm seeing this too now (send failed if signing checked).
Comment 36•23 years ago
|
||
regarding comment #33.
You can certainly set your cert in the account manager, then decide not to check
the sign messages.
Once you've done that you can use the option menu to set the signing and
encryption for each messages.
This works with build 2002010903
Currently the s/mime implementation is only here to catch s/mime libraries
issues. The specs for the ui can be viewed at
http://rocknroll/users/jglick/publish/Security/Security.html
Trust issues are central to the PKI model. We will provide better feedback when
reading an email whose signature fails to validate.
We will provide feedback on why a email cannot be signed/encrypted.
If you're currently unable to send a signed email you may be hitting a variety
of bugs, or your mail account may not be configured correctly.
If you want to help, you may want to try and isolate the issue by setting up a
new profile, by trying different scenarios. Things that may affect your ability
to find your own signing cert (many of them bugs that need to be fixed) are:
Not yet logged in to the software security device (the client should prompt you).
The setting of prefs->sec->certificates->ask every time/choose automatically.
Certificate database corruption issues (testing on a new profile help isolate
these).
Certificate issues (expiration date, trust, broken CA chain, untrusted CA, etc...)
Use of Hardware devices.
Random Mozilla regression in the XUL which cause the prefs settings or the
options/security menu of the compose window to be broken (javascript console may
help isolate these.)
Regarding email addresses and certificates. When you sign an email send from
one account, the various rfc strongly recommend that the certificate used to
sign the email contain the email address of the sender in the altSubjectName
field, or the E= attribute of the cert subject name. Without this, it's very
easy to take a non signed email send by a@foo.com, modify it (buy 1,000,000 of
this rather than 1,000) sign it with a different cert (the signature will be
"valid") and let it go to the recipient who would be given a feedback that the
email is "signed".
Note that certificates can have multiple addresses in the altSubjectName
(although mozilla may not work well yet in that case - but it's in the plan).
Thawte certificates for example allow you to add email addresses to them
(actually you a new cert based on the same key material is issued).
The other way to handle multiple email addresses is to have different Mail/News
accounts with different certificates. This is definitely supported today. There
maybe many reasons to want to have different certificates. One may be issued by
your employer, one may be for personal use. You wouldn't want to use one for
the other, as employer often escrow the encryption keys. Other reasons may
include how the certificate was issued (certain "classes" of certificate require
you to have a face-to-face encrollment procedure to verify your identity. The
cert would carry much more weight.)
Comment 37•23 years ago
|
||
http://rocknroll/users/jglick/publish/Security/Security.html
does not work for me.....
I have no problems using certificates with Netscape 4.x...
For commercial purposes, I agreee about that e-mail address matching the
certificate address is a good idea. But if I want to send private mail to
friends, they will know it is me, even if my account and e-mail do not match.
Managing user certificates gets to be a nightmare, and certificates cost money,
so having many is hard to justify. If I encrypt a message with a certificate
that does not agree with my e-mail address, my receiver, if they already have
and trust my certificate, knows that it was encrypted with my private key, so if
the certificate has not been revoked, it really did come from me. The situation
gets more complex when I have multiple e-mail aliases that all go to the same
place. I am jar@ornl.gov, romeja@ornl.gov, romeja@y12.doe.gov. They all get sent
to the same place, and I cannot always control which one is used.
In any event, this choice should be up to the user.
Comment 38•23 years ago
|
||
Sorry, make that:
http://www.mozilla.org/mailnews/specs/security/
Comment 39•23 years ago
|
||
Another option to check is your OCSP setting. See Bug 119540
Comment 40•23 years ago
|
||
The inteface spec helped a bit. I sent myself a signed message (to my pop account),
and the expanded subject said signed, but there was no visible signature icon,
nor any way to see the signature. I was able to view the message source and see
the signature in a non-readable format.
Reporter | ||
Comment 41•23 years ago
|
||
I have been able to :
- read and verify succesfully signed emails
- read and fail verify (CA not trusted) of signed emails
- send encrypted email
AFAIC, the initial RFE is done.
I can sign, I can encrypt.
Now the UI still need work.
I can't have a description of why the check failed or see the certificate of the
sender (comment #37, this was in 4.x), and some people want more sophisticated
treatement of the relation email-certificate as can be seen in some comment
(comment #33, comment #37 , this wasn't in 4.X).
AFAIC, I feel this requests could be in seperated bug, and this bug
closed-verified.
For people who are used to N 4.X, finding where to set the certificate options
for mail is really difficult and non intuitive, even if the sheer fact of
linking then to mail account is a very good idea.
Finding how it can be enhanced could be a usability bug, too.
Comment 42•23 years ago
|
||
I think you need to give us folks some clues about how to do all of this. I sent
myself a signed message. There is NOTHING on the window to indicate this. If I
expand the subject pane, it says <signed>, but I find no way of viewing the
signature.
I tried to send an encrypted piece of mail to myself. It complained that it
couldn't find my certificate. I went to the LDAP and downloaded it, so it should
have been in the list of "others" certificates. But it is not there. When I view
my personal certificates, the e-mail address is not listed.
Another issue is that we have e-mail aliases. I am jar@ornl.gov and
romeja@ornl.gov. They both go to the same place. I need a way of seeing which
address my certificate is for.
What am I missing?
Comment 43•23 years ago
|
||
For the UI please look at the specs as described in comment #27 (only the first
link is relevant.)
You're using an alpha product as far as s/mime is concerned. You should not
rely on it.
Comment 44•23 years ago
|
||
I saw none of the widgets described in the spec in my signed message.
Comment 45•23 years ago
|
||
exactly. the specs is what you'll have when we're done.
Comment 46•23 years ago
|
||
Adding some S/MIME bugs to dependencies.
Updated•23 years ago
|
Comment 48•23 years ago
|
||
Please consider adding a dependency on bug #117992, filed on a problem in
retrieving new certificates from Thawte.
Thawte Freemail is currently the only to get a free and widely-recognized
personal certificate, so this is quite critical for many potential users of S/MIME.
Comment 50•23 years ago
|
||
A nice guide was noted by Stephane Saux a month ago in
news://news.mozilla.org:119/3C4F6A59.8080600@netscape.com
which should help people figure out how to get started testing:
Sean Cotter put together the following document on using the preliminary
s/mime functionality now present in daily mozilla builds. The UI is not fully
implemented.
It includes information on getting a test certificate so that one can get
going. Note that these certificates have a 7 day validity period, so one has to
go and obtain new certs fairly regularly.
http://www.mozilla.org/projects/security/pki/psm/smime_guide.html
Comment 51•23 years ago
|
||
Another free source of S/MIME certificates is Jeff Schiller's fancifully named
"Black Helicopter Organization". Before you ask how much you should trust
these certs, ask yourself how much liability the commercial cert providers
are willing to accept for their certs....
http://www.black-helicopter.org/bh/
These are not dual-key certs, so they allow testing different aspects of Mozilla
than the Netscape Test Certificate Authority certs at
https://testca.netscape.com/
Jeff's also are valid for a lot longer - one year.
Comment 52•23 years ago
|
||
Component: Client Library → S/MIME
QA Contact: alam → carosendahl
Updated•22 years ago
|
Target Milestone: 2.2 → Future
Comment 53•22 years ago
|
||
removing nsbeta1+ as this is a tracking bug
Keywords: nsbeta1+
Summary: [RFE] S/MIME support in Mozilla Mail → [RFE] S/MIME support in Mozilla Mail tracking bug
Updated•22 years ago
|
Updated•22 years ago
|
Keywords: meta
Summary: [RFE] S/MIME support in Mozilla Mail tracking bug → S/MIME support in Mozilla Mail tracking bug
Comment 54•22 years ago
|
||
There seems to be an inability to handle S/MIME e-mail from Outlook Express.
The mail looks like:
<usual mail header>
This is a multi-part message in MIME format.
------=_NextPart_000_000E_01C30B52.0C15E090
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
<mail message textual content>
------=_NextPart_000_000E_01C30B52.0C15E090
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPpzCCA60w
ggMWoAMCAQICBDyGbZ8wDQYJKoZIhvcNAQEFBQAwbjELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu
Uy4gR292ZXJubWVudDEdMBsGA1UECxMURGVwYXJ0bWVudCBvZiBFbmVyZ3kxJjAkBgNVBAsTHU9h
ayBSaWRnZSBOYXRpb25hbCBMYWJvcmF0b3J5MB4XDTAyMDMwNjE4NTcyOFoXDTIyMDMwNjE5Mjcy
OFowbjELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEdMBsGA1UECxMURGVw
.....
k7OtvjyeMAeHi47gAPr54tT2qxa8eAks7qd60xLFpv9+wqXIqiUjYoh3x8QIhM78MLTkPUd9NQUA
AAAAAAA=
------=_NextPart_000_000E_01C30B52.0C15E090--
1) The signature icon in the bottom border is not there
2) Inside the attachment window, is an icon that says it is signed, but you
can't tell unless you open the attachment panel.
3) There seems no way to import the .p7s file into my Mozilla so I can use his
public key.
I even tried clipping the signature file, putting it into a .p7 file, but that
did not work either.
I am using build 2003041704 on win2k.
Why isn't this working?
Reporter | ||
Comment 55•22 years ago
|
||
James, this kind of question should be reserved for the support newsgroups
(news://news.mozilla.org/netscape.public.mozilla.crypto or
news://news.mozilla.org/netscape.public.mozilla.mail-news), not added to a bug
report like this one.
If indeed there's a problem in Mozilla, it should be added as a new bug only
once there's a better description of it.
I received hundreds of signed/encrypted mails from Outlook users, they usually work.
The "usual mail header" part is the one that sounds the most suspicious.
If you want someone to answer you on the newsgroups, send *all* the headers and
all the content of the mail (anonymize mail adresses first).
Updated•21 years ago
|
Comment 56•21 years ago
|
||
Mass reassign ddrinan's PSM bugs (with his permission) to nobody
Assignee: ddrinan0264 → nobody
QA Contact: carosendahl → nobody
Target Milestone: Future → ---
Updated•18 years ago
|
QA Contact: nobody → s.mime
Updated•5 years ago
|
Priority: P1 → --
Comment 57•3 years ago
|
||
Are the bugs in this component going to be getting attention anytime soon?
It would appear these have mostly lingered for more than a decade and despite an emphasis on encryption, that apparently only means open PGP.
THe fact that Thunderbird periodically can't find a certificate that the UI has no trouble finding is worrisome in the least. Bug 1481969 12 years ago.
Updated•2 years ago
|
Severity: normal → S3
Comment 58•2 years ago
|
||
s/mime has its very own component. And given this is inactive for twenty years and the meta bug today lacks a clear focus, I think we can close this.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INACTIVE
Summary: S/MIME support in Mozilla Mail tracking bug → [meta] S/MIME support
You need to log in
before you can comment on or make changes to this bug.
Description
•