Hi folks--

id:e4a7efe92433f7c3e5dedeac0ea4efc003020296.ca...@ericsson.com from the
IETF LAMPS WG mailing list <sp...@ietf.org> can be found at 
when rendering it, notmuch-emacs shows:

     [ Good signature by: 
 Westerlund,O=Ericsson ]

1.2.840.113549.1.9.1 is the OID for emailAddress in distinguished names.
This field which is deprecated according to
https://www.oid-info.com/get/1.2.840.113549.1.9.1 and ยง5.2.1 of
https://datatracker.ietf.org/doc/html/rfc2985#page-7, but it is still
very much in use as evidenced by the message's X.509 certificate, which
was issued less than a year ago (in 2020-12-11) with a 3-year validity

I wanted this to make this visible in notmuch as the more legible form
"EMAIL=magnus.westerl...@ericsson.com,CN=Magnus Westerlund,O=Ericsson".
i tracked it down to a constraint in libksba's parsing code, and
reported it to GnuPG (libksba's upstream) here:
https://dev.gnupg.org/T5450 and the fix was rejected.

I don't think that notmuch should try to contain any string-to-DN
parsing code, and notmuch's use of gmime here is basically a passthrough
from gpgme, so i'm a bit stuck.

It occurs to me that maybe notmuch should be identifying the e-mail
address (and only the e-mail address?) instead of the other elements of
the user ID, which are more dubious than the e-mail address anyway.

It seems possible to do this by using the g_mime_certificate's email
field in preference to the g_mime_certificate's user_id field, at least
for this particular certificate, because it contains a subjectAltName of
type rfc822name that is just the e-mail address.

I see a couple different options available to do this:

 a) add an "email?" field to the "signature" object in devel/schemata,
    and then teach notmuch-emacs to render that instead of the userid
    field in cases where it's present.

 b) replace the content of the userid field in the "signature" object
    with the e-mail address entirely.

I'm leaning toward (a), though it requires fiddling in more places.  At
the very least, the first step of (a) doesn't seem objectionable.

(note: GMimeCertificate's email field itself is of somewhat dubious
provenance, and i'm trying to clean that up at

What do folks think?


Attachment: signature.asc
Description: PGP signature

notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-le...@notmuchmail.org

Reply via email to