ChristophWurst
commented
1 year ago Right now the app supports inline encryption with the help of Mailvelope. This covers the
PGP/INLINEstandard.
If https://github.com/mailvelope/mailvelope/issues/342 ever happens we could get S/MIME support through Mailvelope. Right now it doesn't look like that will happen although Mailvelope can use GnuPG as a backend (https://github.com/mailvelope/mailvelope/issues/238#issuecomment-447895904) and gpgsm could be accessed in theory.
Is your feature request related to a problem? Please describe.
As a user I want to send email in the most secure and trustworthy way. One of the many ways to secure an email is S/MIME.
This standard can be used to 1) Sign a message –
multipart/signed2) Encrypt a message –multipart/encrypted3) Sign and encrypt a messageRight now the app supports inline encryption with the help of Mailvelope. This covers the
PGP/INLINEstandard.In contrast to PGP/MIME https://github.com/nextcloud/mail/issues/3833 that uses a web of trust, s/mime uses a public key infrastructure. This makes key handling more practical for some environments.
Describe the solution you'd like
0. Key management
1. Verifying a signed message
Requires the sender's public key.
The app has to verify that a message is valid. Ideally it can also show the certificate information to the user.
2. Encrypting messages
Requires the public keys of all recipients. Also requires the user's own public key if the message in Sent should be decryptable.
3. Signing messages
Requires the private key.
4. Decrypting a message
Requires the private key.
Describe alternatives you've considered
PGP/MIME - https://github.com/nextcloud/mail/issues/3833
Reference implementation
Google's hosted S/MIME
Encryption, decryption and signatures handled transparently at the cost of handing the private key to google.
https://support.google.com/a/answer/6374496 https://formsmarts.com/gmail-smime-encrypted-email
Mailpile
https://github.com/mailpile/Mailpile/issues/81
Interesting thought on key management: https://github.com/mailpile/Mailpile/issues/81#issuecomment-38500218
Mew
https://www.mew.org/en/feature/smime.html
Not a comparable application, but interesting usage of
gpgsmas backend.Horde
https://www.horde.org/apps/webmail/
opensslPHP extension, which Nextcloud requires anyway https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installationNot clear where/how they store and pass the private key (privkey) through the applicationThunderbird
https://www.ssl.com/how-to/installing-an-s-mime-certificate-and-sending-secure-email-in-mozilla-thunderbird-on-windows-10/
Outlook web
https://support.microsoft.com/en-us/office/encrypt-messages-by-using-s-mime-in-outlook-web-app-2e57e4bd-4cc2-4531-9a39-426e7c873e26
Roundcube
Doesn't have it either yet, but there is a similar ticket: https://github.com/roundcube/roundcubemail/issues/4977.
Particularly interesting is the draft roadmap for implementation: https://github.com/roundcube/roundcubemail/issues/4977#issuecomment-328578573. It makes sense to start with the parts that do not require a private key. Those can be done on the backend without special measures.
PR for signed message verification: https://github.com/roundcube/roundcubemail/pull/6043
Zoho
https://www.zoho.com/mail/help/s-mime.html
Caveats
Work packages
Additional context
Ref https://www.rfc-editor.org/rfc/rfc1847
Security Multiparts for MIME: Multipart/Signed and Multipart/EncryptedRef https://www.rfc-editor.org/rfc/rfc2633S/MIME Version 3 Message SpecificationRef https://www.rfc-editor.org/rfc/rfc5751Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2: Message SpecificationRef https://www.rfc-editor.org/rfc/rfc8551Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0: Message SpecificationRef https://proton.me/support/pgp-mime-pgp-inline Ref https://github.com/nextcloud/mail/issues/3833 Ref https://help.nextcloud.com/t/any-plans-to-add-s-mime-support-to-one-of-the-webmail-apps/59061