Open Bug 74157 Opened 20 years ago Updated 6 months ago
S/MIME support in Mozilla Mail tracking bug
There's some discussion around about the need of S/MIME support in Mozilla/Netscpae 6, but no specific bug opened for that. I know everyone in Netscape has many things to do for Mozilla, but S/MIME is really important. It's hard for me to imagine version 1.0 would ship without S/MIME. SSL/TLS was a requirement for the navigator from the start. Why is S/MIME so low in the order of priority comparatively ? Well, at least this RFE will make clearly visible what level of importance Netscape is giving to this. Most of the bricks needed for S/MIME are there, NSS has all the component required, the signing/encrypting UI is being created for the PGP plug-in. BTW currently a signed mail where the signed content is included inside the signature will generate the following display : This is an ENCRYPTED message. Mozilla Mail does not support encrypted mail. In that case, it's false, the message is signed, not encrypted, but the signed content is not available separately from the signature.
Assignee: mstoltz → ddrinan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Product: MailNews → Browser
Component: Security: General → Security: Crypto
If I understand the Mozilla schedule, S/MIME will not be done in time to ship 1.0. We are, however, staffing up to take the existing S/MIME libraries in NSS and reflect them in the mail client. Volunteers should contact email@example.com. Stay tuned to the mozilla.crypto newsgroup. We'll post there as we make progress.
Component: Security: Crypto → Client Library
Product: Browser → PSM
Version: other → 2.0
*** Bug 85249 has been marked as a duplicate of this bug. ***
*** Bug 89232 has been marked as a duplicate of this bug. ***
*** Bug 91586 has been marked as a duplicate of this bug. ***
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Since Netscape 4.x had this feature Mozilla 1.0 shouldn't be released without S/MIME support. The people who need encrypted mail can't change to Mozilla without S/MIME.
*** Bug 103030 has been marked as a duplicate of this bug. ***
*** Bug 63288 has been marked as a duplicate of this bug. ***
QA > alam
QA Contact: ckritzer → alam
*** Bug 84213 has been marked as a duplicate of this bug. ***
We're starting the process to land the first cut at S/MIME support in the Mozilla Mail client. This first cut will have close to no UI, but it will allow you to send and receive signed and encrypted email. The first draft of the UI specs will follow shortly after. You should expect to see some progress in the next 2-3 weeks if all goes as planned.
Let us know how we can test it
*** Bug 108548 has been marked as a duplicate of this bug. ***
*** Bug 108556 has been marked as a duplicate of this bug. ***
S/MIME seems to be in now... just to let those people know who wanted to know :)
I just downloaded the latest 11/13 build and it is not there. And even worse, the security manager is gone! I cannot manage my certificates now. Please explain how we are to access the S/MIME features?
I found out that MailNews now displays a message about verification of signed S/MIME messages. E.G.: I've recieved a signed message. Here's a fragment of its Content type: Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; When I click to read it, i get a messagebox stating "This is a signed message with a valid signature". Are there any more goodies?
See bug 105526
Is this support in the public trunk? I downloaded today's version for Linux, and while there are options to sign and encrypt, they do nothing. They do not even trigger the certificate selection process. The 111303 windows (2k) version (Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.5+) Gecko/20011113) does not even have the security option in the mail composition window. Am I missing something here?
you first select your cert under mail server options. The sign/encrypt options will then work. -GA
The user interface is surely a lot worse than in Netscape. I did all you said, and now the mail send fails, saying to check the mail server settings. Also, when I pop up the security options menu in the Linux compose window, selecting any of the options does not seem to stick. There is no dot next to the option when i click it and then come back to the menu.
"...and now the mail send fails, saying to check the mail server settings." reference: http://bugzilla.mozilla.org/show_bug.cgi?id=108912
I tried today's linux build (SuSE 7.3 dual processor pentium pro) again. When I turned off the sign mail box, it was able to send mail. When I turned it back on and tried again, Mozilla crashed. Twice. The feedback agent sent 2 reports ....
The final design is still being worked out. this is a daily build release that will help us work out the bugs in the underlying crypto libraries. For the UI, see: http://www.mozilla.org/mailnews/specs/security/ and http://www.mozilla.org/mailnews/specs/security/Options.html
Please see also netscape.public.mozilla.crypto
I'm working in build 2001112806 on MacOS X (10.1.1) and if I have the option selected to sign a message when it is being sent, I get an error saying "Sending of message Failed. Please verify that your Mail & Newsgroups settings are correct and try again." If I disable the option to sign, mail sends just fine. I'll be glad to do more testing if anyone wants me to try something.
OK, I kinda need to rescind that last report. The problem appears to be that you get that error if you are trying to use a certificate that is not trusted (in my case, the root CA was not installed). But never the less, the error is still a bad one. I guess one needs to get an error saying that there is a problem with the certificate that you are trying to use to sign email.
Now that S/MIME Support was checked in and enabled, shouldn't this bug be closed?
If it is enabled, it surely does not work for me yet on yesterday's build. There are at least "user interface" issues since it works like a charm for me on Netscape 4.7x, but I cannot get a signed or encrypted message sent. Perhaps a short tutorial posted here might solve this. I usually get an error about a misconfiguration of the mail server.
A big problem with the S/MIME interface is that it does not allow you to select the recipient's certificate. I for example have one certificate, but about 6 e-mail addresses. If a person wants to send me e-mail at other than the address in the certificate, he is out of luck. The option/security menu does not allow an encrypt and/or sign just this message. In general, I do not want to encrypt or sign everything! A poster here said S/MIME will not work unless all the CAs are "trusted." Well, if the send fails because of this, a pop-up needs to be generated saying which CA is the problem and also allowing the user to decide whether to trust it just this once, or forever, and for what purposes.
My mail still fails to send if I check encryption or signature. And A lot of the times, the buttons for these do not stick. I set them, and for the same message, return to the security settings option, and they are unset again. So if the encrypt option is set, the mail will not send, or else, it cannot be set.
I'm seeing this too now (send failed if signing checked).
http://rocknroll/users/jglick/publish/Security/Security.html does not work for me..... I have no problems using certificates with Netscape 4.x... For commercial purposes, I agreee about that e-mail address matching the certificate address is a good idea. But if I want to send private mail to friends, they will know it is me, even if my account and e-mail do not match. Managing user certificates gets to be a nightmare, and certificates cost money, so having many is hard to justify. If I encrypt a message with a certificate that does not agree with my e-mail address, my receiver, if they already have and trust my certificate, knows that it was encrypted with my private key, so if the certificate has not been revoked, it really did come from me. The situation gets more complex when I have multiple e-mail aliases that all go to the same place. I am firstname.lastname@example.org, email@example.com, firstname.lastname@example.org. They all get sent to the same place, and I cannot always control which one is used. In any event, this choice should be up to the user.
Sorry, make that: http://www.mozilla.org/mailnews/specs/security/
Another option to check is your OCSP setting. See Bug 119540
The inteface spec helped a bit. I sent myself a signed message (to my pop account), and the expanded subject said signed, but there was no visible signature icon, nor any way to see the signature. I was able to view the message source and see the signature in a non-readable format.
I have been able to : - read and verify succesfully signed emails - read and fail verify (CA not trusted) of signed emails - send encrypted email AFAIC, the initial RFE is done. I can sign, I can encrypt. Now the UI still need work. I can't have a description of why the check failed or see the certificate of the sender (comment #37, this was in 4.x), and some people want more sophisticated treatement of the relation email-certificate as can be seen in some comment (comment #33, comment #37 , this wasn't in 4.X). AFAIC, I feel this requests could be in seperated bug, and this bug closed-verified. For people who are used to N 4.X, finding where to set the certificate options for mail is really difficult and non intuitive, even if the sheer fact of linking then to mail account is a very good idea. Finding how it can be enhanced could be a usability bug, too.
I think you need to give us folks some clues about how to do all of this. I sent myself a signed message. There is NOTHING on the window to indicate this. If I expand the subject pane, it says <signed>, but I find no way of viewing the signature. I tried to send an encrypted piece of mail to myself. It complained that it couldn't find my certificate. I went to the LDAP and downloaded it, so it should have been in the list of "others" certificates. But it is not there. When I view my personal certificates, the e-mail address is not listed. Another issue is that we have e-mail aliases. I am email@example.com and firstname.lastname@example.org. They both go to the same place. I need a way of seeing which address my certificate is for. What am I missing?
For the UI please look at the specs as described in comment #27 (only the first link is relevant.) You're using an alpha product as far as s/mime is concerned. You should not rely on it.
I saw none of the widgets described in the spec in my signed message.
exactly. the specs is what you'll have when we're done.
Adding some S/MIME bugs to dependencies.
Please consider adding a dependency on bug #117992, filed on a problem in retrieving new certificates from Thawte. Thawte Freemail is currently the only to get a free and widely-recognized personal certificate, so this is quite critical for many potential users of S/MIME.
A nice guide was noted by Stephane Saux a month ago in news://news.mozilla.org:119/3C4F6A59.email@example.com which should help people figure out how to get started testing: Sean Cotter put together the following document on using the preliminary s/mime functionality now present in daily mozilla builds. The UI is not fully implemented. It includes information on getting a test certificate so that one can get going. Note that these certificates have a 7 day validity period, so one has to go and obtain new certs fairly regularly. http://www.mozilla.org/projects/security/pki/psm/smime_guide.html
Another free source of S/MIME certificates is Jeff Schiller's fancifully named "Black Helicopter Organization". Before you ask how much you should trust these certs, ask yourself how much liability the commercial cert providers are willing to accept for their certs.... http://www.black-helicopter.org/bh/ These are not dual-key certs, so they allow testing different aspects of Mozilla than the Netscape Test Certificate Authority certs at https://testca.netscape.com/ Jeff's also are valid for a lot longer - one year.
Component: Client Library → S/MIME
QA Contact: alam → carosendahl
removing nsbeta1+ as this is a tracking bug
Summary: [RFE] S/MIME support in Mozilla Mail → [RFE] S/MIME support in Mozilla Mail tracking bug
Summary: [RFE] S/MIME support in Mozilla Mail tracking bug → S/MIME support in Mozilla Mail tracking bug
There seems to be an inability to handle S/MIME e-mail from Outlook Express. The mail looks like: <usual mail header> This is a multi-part message in MIME format. ------=_NextPart_000_000E_01C30B52.0C15E090 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit <mail message textual content> ------=_NextPart_000_000E_01C30B52.0C15E090 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPpzCCA60w ggMWoAMCAQICBDyGbZ8wDQYJKoZIhvcNAQEFBQAwbjELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu Uy4gR292ZXJubWVudDEdMBsGA1UECxMURGVwYXJ0bWVudCBvZiBFbmVyZ3kxJjAkBgNVBAsTHU9h ayBSaWRnZSBOYXRpb25hbCBMYWJvcmF0b3J5MB4XDTAyMDMwNjE4NTcyOFoXDTIyMDMwNjE5Mjcy OFowbjELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEdMBsGA1UECxMURGVw ..... k7OtvjyeMAeHi47gAPr54tT2qxa8eAks7qd60xLFpv9+wqXIqiUjYoh3x8QIhM78MLTkPUd9NQUA AAAAAAA= ------=_NextPart_000_000E_01C30B52.0C15E090-- 1) The signature icon in the bottom border is not there 2) Inside the attachment window, is an icon that says it is signed, but you can't tell unless you open the attachment panel. 3) There seems no way to import the .p7s file into my Mozilla so I can use his public key. I even tried clipping the signature file, putting it into a .p7 file, but that did not work either. I am using build 2003041704 on win2k. Why isn't this working?
James, this kind of question should be reserved for the support newsgroups (news://news.mozilla.org/netscape.public.mozilla.crypto or news://news.mozilla.org/netscape.public.mozilla.mail-news), not added to a bug report like this one. If indeed there's a problem in Mozilla, it should be added as a new bug only once there's a better description of it. I received hundreds of signed/encrypted mails from Outlook users, they usually work. The "usual mail header" part is the one that sounds the most suspicious. If you want someone to answer you on the newsgroups, send *all* the headers and all the content of the mail (anonymize mail adresses first).
Mass reassign ddrinan's PSM bugs (with his permission) to nobody
Assignee: ddrinan0264 → nobody
QA Contact: carosendahl → nobody
Target Milestone: Future → ---
You need to log in before you can comment on or make changes to this bug.