>thanks for this Ken. That's quite a recipe. Heuristic. Kabbalistic >incantation...
Heh. I mean ... toolbox approach! It gets complicated when you start wanting to integrate this into nmh. A lot of the default tools want to work on a whole file; in theory for encryption this isn't required because you can use indefinite encoding for the encrypted data (since PKCS#7 is BER not DER), but I haven't quite worked out the right way of dealing with things like PIN prompts (like if you're searching through messages, do you want a PIN prompt coming up to decrypt the message? Where do you prompt for a PIN when dealing with message composition for signing?). Also, assuming you are dealing with smartcards, you are probably going to have to involve a PKCS#11 module at some point. And that ends up being a complicated mess, especially when dealing with OpenSSL. You CAN configure OpenSSL to use a PKCS#11 module, but it's a mess and has a lot of moving parts. I've looked at dyanmically loading an encryption engine that makes calls to a PKCS#11 module to JUST deal with the encryption pieces, but that also is a challenge. Sigh. Nothing is easy. --Ken
