[horde] smime question, how does horde check certs

Thu Mar 19 13:40:57 UTC 2015

Please do not top-post.

Citeren Jan Eberhardt <j.eberhardt at hrz.uni-frankfurt.de>:

> My Use-Case is the following:
>
> User 1 and User 2 are user of the same horde instance.
>
> User 1: Uploads his public certificate to horde and sends a  
> encrypted message to user 2 (Note: user 2 does not have the public  
> cert of user 1)
>
> User 2: Receives the encrypted message from user 1, horde should  
> check the public certificate of user 1 and iff valid use it to  
> encrypt the message from user 1.

Asymmetric key uncryption doesn't work this way (neither for PGP nor  
for S/MIME). In order to *send* encrypted messages, you need to have  
access to the public keys of all recipients (including yourself)  
*before* you send your message. To decrypt an encrypted message, you  
only need your own private key (and you already have that, don't you?)

> I want that horde checks the public certs it knows about, to decrypt  
> encrypted messages a user receives from another.

Again, you don't need public keys to decrypt messages. You need public  
keys when you want to check the signatures that are attached to  
messages, but these will usually be appended to the message already,  
so there is no need to grab them. I can perfectly well verify the  
signatures on incoming S/MIME signed messages without ever bothering  
about public keys. You only want to check the validity of the public  
key (and that's where OCSP may come into play) when verifying  
signatures.

> I also want, that User 2 can send a encrypted message to User 1,  
> without sending User 1 his public cert in advance.

See above. This is not how assymetric encryption works.

> Kind regards
> Jan Eberhardt
>
> Zitat von Arjen de Korte <arjen+horde at de-korte.org>:
>
>> Citeren Jan Eberhardt <j.eberhardt at hrz.uni-frankfurt.de>:
>>
>>> Hi,
>>>
>>> I have a little issue with Horde 5. How does Horde 5 check if an  
>>> certificate from a signed mail (via s/mime) is still valid?
>>
>> Horde uses the OpenSSL PHP extension, which is mentioned in the  
>> installation instructions for IMP:
>>
>>    http://www.horde.org/apps/imp/docs/INSTALL
>>
>>> To get more clear: Which component of Horde 5 performs the check?  
>>> Are there settings in the Horde 5 config, which may be helpful?
>>
>> Horde_Crypt (in Horde/Crypt/Smime.php) calls openssl_pkcs7_verify  
>> to check for the validity of S/MIME signed messages:
>>
>>    http://php.net/manual/en/function.openssl-pkcs7-verify.php
>>
>>> I would like to add a OCSP resource to Horde 5.
>>
>> Just out of curiosity, what are you trying to achieve with that?
>>
>>> Kind regards,
>>> Jan Eberhardt
>>>
>>> -- 
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>>
>>
>> -- 
>> This message was sent from a mailinglist subscription address.
>> For off-list replies, you must remove the address extension.
>
>
>
> -- 
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org

-- 
This message was sent from a mailinglist subscription address.
For off-list replies, you must remove the address extension.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 11647 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20150319/4d84c983/attachment.bin>