Used Zammad version: 3.5.0-1602165773.71bff28e.buster
Used Zammad installation source: (source, package, …) Debian package
Operating system: Debian Buster
Browser + version: chrome latest
When Zammad receives a signed message from a (new) client with attached a smime.p7s certificate, i.e. like the ones sent out by Thunderbird, the certificate should be saved automatically and used to verify the message signature.
The smime.p7s certificate is not saved and not used to verify the message signature. Opening the ticket, an error is shown about processing the client’s signature. The only way to get the message signature confirmed is to manually add a .pem version of client’s certificate in the S/MIME section.
Steps to reproduce the behavior:
Send a signed message to Zammad with Thunderbird
Maybe I’m missing some config parameters… is there a way to let Zammad recognize and automatically save smime.p7s certificates?
Thanks for you reply, I understand your position and I beg to disagree. The whole point of S/MIME is to delegate the trust to the built-in trusted CAs and you should, imho, just do the same, like all the browsers and mail clients out there.
Manual upload and checks would still be needed in case of a certificate signed by a CA not present in the built-in trusted CAs (i.e. /etc/ssl/certs).
As a compromise I’d suggest allowing to import a cert from the ticket view. Of course this should only be allowed for admin accounts but I can imagine workflows to make this work. If a user has no permission for importing a certifiicate just add it with a state of “proposed import by user x” or similar so an admin can just confirm or request additional information.
But I have to agree with admin-gbm: The whole point of S/MIME is to not build your own web of trust like in PGP. Of course I can just upload all the root and intermediate CAs. But still, it’s not about allowing access to the system but to secure communication. As it is it encourages to just skip S/MIME because of the additional hurdles. All the checks if someone really is the person they pretend to be are up to the cert issuer.