Closed Bug 396353 Opened 18 years ago Closed 18 years ago

S/MIME Handling in respect to current PGP offering is lacking the same functionality

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: alpha096, Assigned: dveditz)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1.5) Gecko/20061023 SUSE/2.0.0.5-1.1 Firefox/2.0.0.5 Build Identifier: version 2.0.0.6 (20070728) I am very disappointed that in the new release of Thunderbird and enigmail that we cannot still offer the same GUI functionality afforded to S/MIME that we give to PGP. There is still NO apparent way of attaching your public key to send the recipient so that they can import it via GUI and thus facilitate further encrypted messages. Therefore less than half the functionality of an S/MIME certificate is available as of this date. With respect to comment 23 - Off course organisations who have all users with X 5.09 certificates sending encrypted email is not an issue as they already have the CA's encryption/signing capabilities. This being the case even I can encrypt an email to ANY other user who has a Thwate or Verisign (same company) digital certificate. Because a recipient has a similar CA's decryption algorithm there is no requirement to send it. The signature algorithm is different, however the decryption algorithm is NOT.If we all had Thwate freemail certificates we can immediately send encrypted emails. If the user does NOT be need to send the 1. attach the decryption key and 2. give the recipient the ability to import it simply So in conclusion where an organisation all have 1 CA X 509 certificate - there is no issue for that organisation. It is clearly apparent that Thunderebird and enigmail completely relies on PGP functionality. ALL I am suggesting is we give equal weight to the World standard X 5.09 rather than PGP - Its a big world market out there and to ignore ISO standards we just make up the rules as we go - There IS life outside North America and ISO standards are there for a reason and if you want the EU to use Thunderbird I humbly suggest we take a clear look at X 5.09 as there is so much more to just digital signing and encryption - There is also S/MIME standard for digital receipt that recipients cannot stop if requested as they are auto processed via opening a X 509 digitally signed and X 5.09 receipt notification and tracking. Please forgive my passion, but the authors of Thunderbird and Enigmail are just ignoring the one world - 1 standard, without which we just have confusion as above. As such we have failed and hence reclassified as lack of functionality with no workaround == bug I do appreciate that a recipient who has Thunderbird "When you send someone a message signed with your S/MIME certificate, then your public key is automatically attached to this message together with the signature. And when you receive a signed message, the public key of the sender is automatically saved in your "Other people's certificates" list. (Provided that Thunderbird knows the CA which has issued the certificate; otherwise you first have to import the CA's certificate.)" However the world does not all use Thunderbird and as such any Microsoft client cannot install the public key which is offered in its propriety format. Whilst the algorithm is seen in the Microsoft clients receipt of the message they are powerless to import it as it is not presented as an attachment as specified in the ISO. This is rated as a bug as current public key handeling does NOT comply with ISO Reproducible: Always Steps to Reproduce: 1.Send a X 5.09 signed email to a Microsoft recipient and ask them to import same. 2.Only Thunderbird auto inserts public encryption key 3.ISO stand states that the public Key when attached is presented in such attached file format that ANY email client will import when opened. Being a Digitally signed email the attached public encryption key is not ever stripped inline with S/MIME ISO Faithfully reproducable Actual Results: The encryption public key is not sent as an attachment as per ISO. There is no functionality to stop automatic sending of public key algorithm - This should be the users choice to offer it. When a plain text email is send there is a huge amount of the message which is occupied by the public encryption key unnecessarily adding to userconfusion, huge message length etc Expected Results: Provide the same functionality of PGP to S/MIME in respect to 1. User sending message makes decision to attach public key or not. Public key is sent as an attached file inline with ISO standards that permits a non Thunderbird client to import the key via existing GUI and ISO standards http://mysite.verizon.net/ambur/x509.htm http://www.pki-page.org/ Suggest this option is written as an add-on much like enimail and is also included in current DOD addon
Bugzilla is our technical bug database, not a place for random advocacy of... whatever it is that you're advocating, which is impossible to decipher. As you've been told repeatedly in various bugs, if you don't know how to do something with S/MIME in Thunderbird, please ask how to do it in http://groups.google.com/group/mozilla.dev.tech.crypto/topics - if it turns out that it's not yet possible to do it, then the people there can either direct you to an existing bug about it, or help you file one, or can file one themselves in a way that will be clear to the people who can then fix it.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INCOMPLETE
Enigmail in particular is not produced by Mozilla. We are grateful to the Enigmail team for their efforts since there are a lot of people who use PGP (and it's definitely not just North Americans, the majority of the Enigmail team--including the project lead--appear to be in Europe), but if you have any complaints or requests involving Enigmail you should take it up with them. Links to their forums and bug database can be found at http://enigmail.mozdev.org
(In reply to comment #0) Scott, what you write is not true. I have explicitly verified the following: 1.) I have sent a signed message from Thunderbird to another account. 2.) I have received this message at the other account with MS Outlook. 3.) Outlook was able to a) verify the signature made by Thunderbird, b) reply to the sender encrypting the reply message using the public key sent in the original message (without any "import public key action"), c) add the sender's address to the Outlook contacts, including the sender's certificate with the public key. So where's the problem? > Steps to Reproduce: > 1.Send a X 5.09 signed email to a Microsoft recipient and ask them to import > same. > 2.Only Thunderbird auto inserts public encryption key
You need to log in before you can comment on or make changes to this bug.