Re: [Evolution-hackers] Camel smime
Hello guys, I think you underestimate the difficulty to implement a serious s/mime client! With Mozilla there is much more than just an s/mime api. It permit also to request certificate from a website, install them in a PSM, manage CRL and OCSP, permit the user to trust a CA or not, via a GUI, you get smart card support... All tested by a wide community. On the other hand, I am sure OpenSSL is right for SSL/TLS servers and eventually clients. Additionnaly, it would be nice for Gnome users to be able to manage his ceertificates in 1 place... like it is in MS products. Why not by improving Mozilla code. I really think that both projects would profit of it! Marc Jadoul On Wed, 2002-06-05 at 18:36, Jeffrey Stedfast wrote: Yea, I can take a look into it. Jeff On Wed, 2002-06-05 at 12:13, Ettore Perazzoli wrote: On Tue, 2002-06-04 at 20:53, Not Zed wrote: Thats an interesting patch, it all runs off the openssl command, didn't know it could do all that ... then again i didn't even know it existed. Jeff, perhaps this is the answer? :) This sounds like a great way to make it work simply and nicely. :-) (While avoiding messy with NSS, which is always painful.) At some point we should probably look into that?.. -- Ettore ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers
Re: [Evolution-hackers] Camel smime
Thus you do not believe that the API will stabilize with Mozilla 1.0? I work for a company doing PKI and s/mime compatibility between outlook express, trusted-mime, outlook 2000, netscape messenger and Mozilla is one of the most difficult problem! Even if you can hack something compatible with all these applications, it will take you far more work/time than using Mozilla code to test this compatibility. And the missing features will do that no one will use it. For instance, to use it I would need smart card support + mulitple email address support (1 cert can only be used for 1 email adress) and separation of signing/encrypting functionality in 2 certs (needed for qualified certs), Writing down requirements could may be permit a more objective choice? Note that I have No interest in Mozilla, and I know Openssl better than NSS, but it is just my current feeling. - Original Message - From: Not Zed [EMAIL PROTECTED] To: Marc Jadoul [EMAIL PROTECTED] Cc: Jeffrey Stedfast [EMAIL PROTECTED]; Ettore Perazzoli [EMAIL PROTECTED]; Mark Foster [EMAIL PROTECTED]; Evolution Hackers Mailing List [EMAIL PROTECTED] Sent: Wednesday, June 05, 2002 11:41 PM Subject: Re: [Evolution-hackers] Camel smime This was covered earlier. The mozilla code, while great, is still in development and under constant change, there is no stable api we can develop to. We dont really have the resources to help their effort either, unfortunately. The pgp code we have just executes an external program and it works 'enough' for many people, even if it isn't ideal. Once a better implementation comes along it can just slot in though. And no, i dont think we do, to be honest. On Thu, 2002-06-06 at 19:09, Marc Jadoul wrote: Hello guys, I think you underestimate the difficulty to implement a serious s/mime client! With Mozilla there is much more than just an s/mime api. It permit also to request certificate from a website, install them in a PSM, manage CRL and OCSP, permit the user to trust a CA or not, via a GUI, you get smart card support... All tested by a wide community. On the other hand, I am sure OpenSSL is right for SSL/TLS servers and eventually clients. Additionnaly, it would be nice for Gnome users to be able to manage his ceertificates in 1 place... like it is in MS products. Why not by improving Mozilla code. I really think that both projects would profit of it! Marc Jadoul On Wed, 2002-06-05 at 18:36, Jeffrey Stedfast wrote: Yea, I can take a look into it. Jeff On Wed, 2002-06-05 at 12:13, Ettore Perazzoli wrote: On Tue, 2002-06-04 at 20:53, Not Zed wrote: Thats an interesting patch, it all runs off the openssl command, didn't know it could do all that ... then again i didn't even know it existed. Jeff, perhaps this is the answer? :) This sounds like a great way to make it work simply and nicely. :-) (While avoiding messy with NSS, which is always painful.) At some point we should probably look into that?.. -- Ettore ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers
Re: [Evolution-hackers] Camel smime
On Thu, 2002-06-06 at 22:19, Marc Jadoul wrote: Thus you do not believe that the API will stabilize with Mozilla 1.0? I work for a company doing PKI and s/mime compatibility between outlook express, trusted-mime, outlook 2000, netscape messenger and Mozilla is one of the most difficult problem! Even if you can hack something compatible with all these applications, it will take you far more work/time than using Mozilla code to test this compatibility. And the missing features will do that no one will use it. For instance, to use it I would need smart card support + mulitple email address support (1 cert can only be used for 1 email adress) and separation of signing/encrypting functionality in 2 certs (needed for qualified certs), Writing down requirements could may be permit a more objective choice? *Shrug* If its too hard we just wont do it. Note that I have No interest in Mozilla, and I know Openssl better than NSS, but it is just my current feeling. - Original Message - From: Not Zed [EMAIL PROTECTED] To: Marc Jadoul [EMAIL PROTECTED] Cc: Jeffrey Stedfast [EMAIL PROTECTED]; Ettore Perazzoli [EMAIL PROTECTED]; Mark Foster [EMAIL PROTECTED]; Evolution Hackers Mailing List [EMAIL PROTECTED] Sent: Wednesday, June 05, 2002 11:41 PM Subject: Re: [Evolution-hackers] Camel smime This was covered earlier. The mozilla code, while great, is still in development and under constant change, there is no stable api we can develop to. We dont really have the resources to help their effort either, unfortunately. The pgp code we have just executes an external program and it works 'enough' for many people, even if it isn't ideal. Once a better implementation comes along it can just slot in though. And no, i dont think we do, to be honest. On Thu, 2002-06-06 at 19:09, Marc Jadoul wrote: Hello guys, I think you underestimate the difficulty to implement a serious s/mime client! With Mozilla there is much more than just an s/mime api. It permit also to request certificate from a website, install them in a PSM, manage CRL and OCSP, permit the user to trust a CA or not, via a GUI, you get smart card support... All tested by a wide community. On the other hand, I am sure OpenSSL is right for SSL/TLS servers and eventually clients. Additionnaly, it would be nice for Gnome users to be able to manage his ceertificates in 1 place... like it is in MS products. Why not by improving Mozilla code. I really think that both projects would profit of it! Marc Jadoul On Wed, 2002-06-05 at 18:36, Jeffrey Stedfast wrote: Yea, I can take a look into it. Jeff On Wed, 2002-06-05 at 12:13, Ettore Perazzoli wrote: On Tue, 2002-06-04 at 20:53, Not Zed wrote: Thats an interesting patch, it all runs off the openssl command, didn't know it could do all that ... then again i didn't even know it existed. Jeff, perhaps this is the answer? :) This sounds like a great way to make it work simply and nicely. :-) (While avoiding messy with NSS, which is always painful.) At some point we should probably look into that?.. -- Ettore ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers
Re: [Evolution-hackers] Camel smime
On Thu, 2002-06-06 at 13:49, Marc Jadoul wrote: compatibility. And the missing features will do that no one will use it. For instance, to use it I would need smart card support + mulitple email address support (1 cert can only be used for 1 email adress) and separation of signing/encrypting functionality in 2 certs (needed for qualified certs), Isn't this (1 cert can only be used for 1 email adress) more a political issue with CA's than technical? I think it is... after all, they'd be very happy to have you pay for a certificate per email address... Cheers, -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? signature.asc Description: This is a digitally signed message part
Re: [Evolution-hackers] Camel smime
On Wed, 2002-06-05 at 14:41, Not Zed wrote: This was covered earlier. The mozilla code, while great, is still in development and under constant change, there is no stable api we can develop to. We dont really have the resources to help their effort either, unfortunately. The pgp code we have just executes an external program and it works 'enough' for many people, even if it isn't ideal. Once a better implementation comes along it can just slot in though. Which is what the mutt implementation does. If the external call to openssl command is good enough for mutt, and it's common to what evolution is already doing with gpg, why not go with that and worry about nss integration for when (if) it becomes stable? And no, i dont think we do, to be honest. On Thu, 2002-06-06 at 19:09, Marc Jadoul wrote: Hello guys, I think you underestimate the difficulty to implement a serious s/mime client! With Mozilla there is much more than just an s/mime api. It permit also to request certificate from a website, install them in a PSM, manage CRL and OCSP, permit the user to trust a CA or not, via a GUI, you get smart card support... All tested by a wide community. On the other hand, I am sure OpenSSL is right for SSL/TLS servers and eventually clients. Additionnaly, it would be nice for Gnome users to be able to manage his ceertificates in 1 place... like it is in MS products. Why not by improving Mozilla code. I really think that both projects would profit of it! Marc Jadoul On Wed, 2002-06-05 at 18:36, Jeffrey Stedfast wrote: Yea, I can take a look into it. Jeff On Wed, 2002-06-05 at 12:13, Ettore Perazzoli wrote: On Tue, 2002-06-04 at 20:53, Not Zed wrote: Thats an interesting patch, it all runs off the openssl command, didn't know it could do all that ... then again i didn't even know it existed. Jeff, perhaps this is the answer? :) This sounds like a great way to make it work simply and nicely. :-) (While avoiding messy with NSS, which is always painful.) At some point we should probably look into that?.. -- Ettore ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers
Re: [Evolution-hackers] Camel smime
On Thu, 2002-06-06 at 08:49, Marc Jadoul wrote: Thus you do not believe that the API will stabilize with Mozilla 1.0? I work for a company doing PKI and s/mime compatibility between outlook express, trusted-mime, outlook 2000, netscape messenger and Mozilla is one of the most difficult problem! Even if you can hack something compatible with all these applications, it will take you far more work/time than using Mozilla code to test this compatibility. And the missing features will do that no one will use it. For instance, to use it I would need smart card support + mulitple email address support (1 cert can only be used for 1 email adress) and separation of signing/encrypting functionality in 2 certs (needed for qualified certs), Writing down requirements could may be permit a more objective choice? Note that I have No interest in Mozilla, and I know Openssl better than NSS, but it is just my current feeling. I'm not so sure I'd go so far as to say that OpenSSL is *better* than Mozilla NSS. What I *would* say is that the OpenSSL API is less likely to change. This is what I was told by a Mozilla developer: Sigh, unfortunately many of our NSS API's were ad-hoc API's built to make Communicator or Netscape servers happy. We've really only stablized the SSL API's. We've spent some time defining the new API's we want to go to, but it's going to take a multi-step process to get there. What we are trying to do right now is elliminate those API's that will not be easy to emulate in our new world. We really wanted to have these new API's up and running before we went to Shared Library based versions of NSS, but the need to go to Shared Libraries outstripped out time to finish the new API's. Anyway the reason we haven't spent time documenting the old stuff is we are hoping to be ready with the new stuff soon. This was a few months ago, but from the looks of it - this is still the case. Jeff - Original Message - From: Not Zed [EMAIL PROTECTED] To: Marc Jadoul [EMAIL PROTECTED] Cc: Jeffrey Stedfast [EMAIL PROTECTED]; Ettore Perazzoli [EMAIL PROTECTED]; Mark Foster [EMAIL PROTECTED]; Evolution Hackers Mailing List [EMAIL PROTECTED] Sent: Wednesday, June 05, 2002 11:41 PM Subject: Re: [Evolution-hackers] Camel smime This was covered earlier. The mozilla code, while great, is still in development and under constant change, there is no stable api we can develop to. We dont really have the resources to help their effort either, unfortunately. The pgp code we have just executes an external program and it works 'enough' for many people, even if it isn't ideal. Once a better implementation comes along it can just slot in though. And no, i dont think we do, to be honest. On Thu, 2002-06-06 at 19:09, Marc Jadoul wrote: Hello guys, I think you underestimate the difficulty to implement a serious s/mime client! With Mozilla there is much more than just an s/mime api. It permit also to request certificate from a website, install them in a PSM, manage CRL and OCSP, permit the user to trust a CA or not, via a GUI, you get smart card support... All tested by a wide community. On the other hand, I am sure OpenSSL is right for SSL/TLS servers and eventually clients. Additionnaly, it would be nice for Gnome users to be able to manage his ceertificates in 1 place... like it is in MS products. Why not by improving Mozilla code. I really think that both projects would profit of it! Marc Jadoul On Wed, 2002-06-05 at 18:36, Jeffrey Stedfast wrote: Yea, I can take a look into it. Jeff On Wed, 2002-06-05 at 12:13, Ettore Perazzoli wrote: On Tue, 2002-06-04 at 20:53, Not Zed wrote: Thats an interesting patch, it all runs off the openssl command, didn't know it could do all that ... then again i didn't even know it existed. Jeff, perhaps this is the answer? :) This sounds like a great way to make it work simply and nicely. :-) (While avoiding messy with NSS, which is always painful.) At some point we should probably look into that?.. -- Ettore ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers
Re: [Evolution-hackers] Camel smime
On Tue, 2002-06-04 at 23:13, Jeffrey Stedfast wrote: Once upon a time I had started implementing S/MIME using the Mozilla NSS libraries, but I had given up on that due to the API changing on me and the fact that the Mozilla developers told me that the API was not going to be stable anytime soon. Of course this was a long while back, so maybe things have changed? Have you looked at using GNUTLS? http://www.gnu.org/software/gnutls ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers
Re: [Evolution-hackers] Camel smime
On Wed, 2002-06-05 at 23:52, Mark Foster wrote: On a side note, according to this URL, smime support has already been added to mutt, so something's awry. http://elmy.myip.org/mutt/smime.html *blink* Ahh well, who knows eh. Maybe they're just doing it again, maybe its an old stale project, or maybe they didn't know about the other one. Thats an interesting patch, it all runs off the openssl command, didn't know it could do all that ... then again i didn't even know it existed. Jeff, perhaps this is the answer? :) Z ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers
Re: [Evolution-hackers] Camel smime
On Tue, 2002-06-04 at 20:53, Not Zed wrote: Thats an interesting patch, it all runs off the openssl command, didn't know it could do all that ... then again i didn't even know it existed. Jeff, perhaps this is the answer? :) This sounds like a great way to make it work simply and nicely. :-) (While avoiding messy with NSS, which is always painful.) At some point we should probably look into that?.. -- Ettore
Re: [Evolution-hackers] Camel smime
On Wed, 2002-06-05 at 15:46, Colin Walters wrote: On Tue, 2002-06-04 at 23:13, Jeffrey Stedfast wrote: Once upon a time I had started implementing S/MIME using the Mozilla NSS libraries, but I had given up on that due to the API changing on me and the fact that the Mozilla developers told me that the API was not going to be stable anytime soon. Of course this was a long while back, so maybe things have changed? Have you looked at using GNUTLS? Hmm, not lately :) http://www.gnu.org/software/gnutls Note that we are using libnss successfully for TLS (i.e. ssl), so this is of lesser importance. It wouldn't be a significant chunk of work to have another tls library used instead though, probably a single camel-object 'stream' implementation would suffice infact (and a stream doesn't need to do much, just connect/read/write/disconnect), and maybe a couple of other minor patches. Looking through the docs of gnutls it looks like it may have some of the features required, but it also doens't look like they're aiming it as a general purpose s/mime capable toolkit? i.e.: Note that GNUTLS is not a generic purpose X.509 toolkit1.7. GNUTLS only includes the required, in order to use the TLS ciphersuites which require X.509 certificates. - footnote links to Aegypten http://www.gnupg.org/aegypten/ And Aegypten is a toolkit/project to add s/mime to kmail mutt (and coincidentally was just brought up on the evolution users list). ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers
Re: [Evolution-hackers] Camel smime
Once upon a time I had started implementing S/MIME using the Mozilla NSS libraries, but I had given up on that due to the API changing on me and the fact that the Mozilla developers told me that the API was not going to be stable anytime soon. Of course this was a long while back, so maybe things have changed? If I start up again, I may give using the SFL a go as it looks much simpler. It will also allow me to merge the abstractions for PGP/MIME and S/MIME a bit better, since NSS only allows signing of whole messages and the Camel PGP/MIME implementation was implemented to allow signing of any individual MIME part. Anyways, I don't see S/MIME getting one anytime soon, so if you want to take a stab at it feel free to. No one has ever tried porting Camel to Win32, so I have no idea what problems you may have... What kind of project are you interested in doing on Win32 if I may ask? Seems an odd thing to do... Jeff On Tue, 2002-06-04 at 23:08, [EMAIL PROTECTED] wrote: Hi I am looking at reusing the camel package on Windows platform for my project. Has anyone successfully ported the package to Windows before? Anyone foresee any difficulty I may face in doing the port? I am glad to hear that smime is on the to-do list of Evolution. Am hoping though that it could be given greater priority. What would be the approach in the implementation, e.g. will it be built on existing packages like Smime Free Library (SFL) and OpenSSL? Dan [EMAIL PROTECTED] __ For the latest news, go to http://www.asia1.com ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers
Re: [Evolution-hackers] Camel smime
On Wed, 2002-06-05 at 12:38, [EMAIL PROTECTED] wrote: Hi I am looking at reusing the camel package on Windows platform for my project. Has anyone successfully ported the package to Windows before? Anyone foresee any difficulty I may face in doing the port? It will need a decent posix library. Camel uses threads (it can be compiled without it, but i dont think that works anymore), and all the basix posix/c library calls, forking, pipes, etc. It assumes (and will continue to assume) that '/' is the directory separator, '/' is the root of the filesystem, etc. There are some dependencies on a couple of other evolution libraries - it uses a couple of small parts from gal (most of which i'd like to remove ... since using gal draws in almost all of gnome), and a small utility library e-util. Also note, camel is not a separate package. It is an internal evolution library - and subject to significant and constant api change and redesign. I am glad to hear that smime is on the to-do list of Evolution. Am hoping though that it could be given greater priority. What would be the approach in the implementation, e.g. will it be built on existing packages like Smime Free Library (SFL) and OpenSSL? Problem is SFL is c++ and the c api is pretty limited. But that is definetly something we were looking into. As Jeff said, s/mime is on the todo list, but shelved for now. Dan [EMAIL PROTECTED] __ For the latest news, go to http://www.asia1.com ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers ___ evolution-hackers maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution-hackers