Bug 269128

Summary: Thunderbird version in Open Suse lack functionality - specifically S/MIME certificate processing.
Product: [openSUSE] openSUSE 10.2 Reporter: Scott Couston <scott>
Component: UsabilityAssignee: Wolfgang Rosenauer <wolfgang>
Status: RESOLVED INVALID QA Contact: Siegfried Olschner <siegfried.olschner>
Severity: Normal    
Priority: P5 - None CC: crrodriguez
Version: Final   
Target Milestone: ---   
Hardware: i386   
OS: Other   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Scott Couston 2007-04-27 07:55:08 UTC 
After established that there was no real mechanism available for a user of Open Suse Thunderbird Email Client for the user to attach their public key for an S/MIME digitally signed email in order to facilitate future encryption the following became apparent. 

I made the following request of Mozilla with respect to drastically changing the applications handling of S/MIME digital signatures.

Quote to Mozilla
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1.2)
Gecko/20061023 SUSE/2.0.0.2-1.1 Firefox/2.0.0.2
Build Identifier: version 1.5.0.10 (20060911)

There is a great deal of code devoted to PGP processes and almost none to
S/MIME.
Request you separate the 2 vastly different methods of Digital Signatures and
Encryption.
If you desire the commercial use of Thunderbird, which does not accept PGP, as
anyone can create a PGP signature that is not automatically verified and if
verified it can never be trusted; there needs the equal commitment to S/MIME as
there is current to PGP. 

PGP does have useful purposes intra domain, however we have a world standard in
S/MIME.

I appreciate that PGP is more in keeping with open source policy - however it
does not exclude its wide commercial use and application.

Currently Thunderbird could not pass enough security guidelines for any of the
following domains .MIL .GOV .IT  - And these are big players in the commercial
marketplace. Please take into consideration the many enhancement requests
already present for S/MIME functionality 

Reproducible: Always

Unquote

The following response was received from Mozilla in respect to the above.

Quote
Umm, stock Thunderbird does not have anything OpenPGP at all.  The SuSE
packaged version of Thunderbird does have the Enigmail and Mail Redirector
extensions packaged with it for some reason, though.  Which means you would
need to talk to them instead :(

(Thunderbird does have the S/MIME stuff built in by default, which is way more
support than PGP does...)
Unquote

I can only assume that "them" refers to the open suse Distribution and offer the following thoughts.

Why do we remove current functional aspects of the original production version.

This would seem counter productive in that for every release we need to maintain an altered version of the official release. 

From a development point of view modifications of an application that is constantly under development will require valuable time and possibly removal of functionality that is expected to be available.

Whilst the version of Thunderbird provided by Suse .RPM provides the ability to digitally sign messages it is not apparently able to click on "attach public Key" for any signed message.

PGP signatures by them selves can be created by anyone and carried NO authenticity even as to the validity of the address its signs. 

I do understand the issue of PGP Key servers.

As such every PGP signed message when received by various email clients can display warnings in the case of Microsoft Clients "Invalid Signature" to other less alarming messages of "invalidated signature"

I really do not understand the need to change the version of Thunderbird created and maintained by Mozilla when it offers equal facilities in respect to digital Signatures both PGP and S/MIME ( as told be above response)

I do understand that I can download the Mozilla Version of Thunderbird, however I would like to think that there is no need to change its functionality unless its RC format is not compatible and will not function under Open Suse unless it is modified.

As well as duplication of possible future conflicting development plans by Mozilla, in the first instance, and Open Suse in the second I feel we are trying to re-invent the wheel with a considerable ongoing need to change the Mozilla Product with every version of Thunderbird and every version of Open Suse at the possible expense of attending to known bugs.

The issue of providing a possible security update issues by Mozilla to the installed Suse Product frightens me.

I have reported this as a bug in lieu of an enhancement as the open suse version of Thunderbird appears to have commercially/operability valuable which in respect to "does have the S/MIME stuff built in by default" removed from the distribution contained in open suse.

Please tell me some other organisation has decided to remove and modify existing functionality of a fast developing open source product and I have the above all the wrong way around.

Discussion/awareness is indicated above.
Comment 1 Wolfgang Rosenauer 2007-04-27 11:45:34 UTC 
Could you please explain again in two sentences what should be missing?
I'm not aware of anything we would remove by intention and I don't think we remove functionality by accident by prepackaging enigmail.
Comment 2 Scott Couston 2007-04-28 00:38:26 UTC 
There is almost no functionality devoted to S/MIME. Specifically the ability to attach an S/MIME public key.

From the information gathered from Mozilla this ability exists in their RC, moreover "(Thunderbird does have the S/MIME stuff built in by default, which is way more support than PGP does...)"

I will load the Mozilla RC today to be able to make more specific comments. Leave on Need Info
Comment 3 Wolfgang Rosenauer 2007-04-28 07:08:11 UTC 
Feel free to check yourself but all S/MIME functionality should be there.
It can be set up for every account in the account options.
Comment 4 Scott Couston 2007-04-28 08:12:10 UTC 
Wolfgang, If you tell me the factional aspects of S/MIME are the same in both the open suse and Mozilla version's I am more than happy and pleased to accept your statement.

This issue I believe is with Mozilla (many contributors) however I needed to go through this use of valuable time just to repeal the issue back to Mozilla without confusion and vague statements from them.

I still need to install it for myself to continue with Mozilla.

I really cannot believe that a bug essentially
"unable to attach public key for S/MIME signatures" could not have been simply addressed by Mozilla and turned this simple issue into confusion and a never ending story.

I am happy to close as Later for now and follow through with eventual close invalid pending 'facts' found by myself and accepted by Mozilla.

Cheers and frustrated at the need to consume all parties valuable time.

Scott ;-)
Comment 5 Scott Couston 2007-04-29 01:38:59 UTC 
After investigation re comment from Mozilla 

Quote
(Thunderbird does have the S/MIME stuff built in by default, which is way more
support than PGP does...)
Unquote

This statement could not be any further away from a true summation of the function handling of S/MIME certificates.

Tests with NEW version 2.0 show the same handling of certificates as version 1.5. You can import ANY type certificate but you can only digitally sign messages.

There IS no additional functionality between version 1.5 and 2.0 in this respect.

The addition of enigmail provides complete support for PGP in the same manner as 1.5/2.0.

There IS not further support for S/MIME certificates other than the ability to sign a message. If this was the only application of S/MIME certificate that the author of this quote understands; I can only conclude this statement has been made out of ignorance and total lack of the purpose and functional requirements available in code handling of any PKI certificate let alone an S/MIME X.509 issues key.

There is NO additional functional advantage in installing the same add-on of Enigmail which is totally devoted to PGP functionality.
Comment 6 Scott Couston 2007-04-29 01:40:46 UTC 
Epilogue:-

Perhaps the understanding and exposure of PKI standards is severely limited on behalf of Mozilla.
Comment 7 Cristian Rodríguez 2007-04-29 03:52:47 UTC 
(In reply to comment #6)
> Epilogue:-
> 
> Perhaps the understanding and exposure of PKI standards is severely limited on
> behalf of Mozilla.
> 

They probably have very good reasons to not implement what you are requesting.. maybe this "so called" standards are based on propietary/patented technology..

And this is not something you have to discuss with us, ask mozilla developers they will give you their rationale..
Comment 8 Scott Couston 2007-04-29 06:28:25 UTC 
NO. Its the International standard - sponsored and created by the United Nations and as such is only proprietary to the whole world ;-) 

I will discuss is more gently with Mozilla, apologies about my frustration which is evident and I should not allow them to alter my level of usage when there is nothing constructive to gain. 

http://mysite.verizon.net/ambur/x509.htm

You have a kind heart Cristian - dont loose that

regards ;-)