This text is about how to use the SECUDE PEM (Privacy Enhanced Mail, RFC 1421-1424) filter from exmh. It is not a tutorial on SECUDE or PEM. For an introduction to SECUDE or PEM check other sources.
PEM is integrated with Sedit only. It is not integrated with the external editor facilities of exmh.
In order for this to work as described, you will need to have a PSE (Private Security Environment). This button will help you getting one.
There are five basic commands in exmh associated with PEM:
The first command is located under the messages "More..." menu. It does a
secude pem -R -i smth -o smthElse -u yes
command. Its purpose is the "-u yes" part. It discards the smthElse output.
The second one is activated by pressing the "Check Signature" button found in a signed message (or by selecting "Check the signature with PEM..." from the pop-up menu associated with the message part that displays "Check Signature").
The third one is activated by selecting "Show content with PEM..." in the pop-up menu associated with all content parts of type application/pem.
The second and third commands both do a
secude pem -R -i smth -o smthElse -u no -F
if "Keep PIN-code" is enabled (Check Preferences->PEM interface). Otherwise they do a
secude pem -R -i smth -o smthElse -F
i.e. with the default action for the -u option (which is 'ask').
In order to sign a message you pick "Sign" from the "PEM..." menu of Sedit. It adds a Pem-action header to your draft that is processed upon a Send. The Send will do a
secude pem mic-clear -R -i smth -o smthElse (-C)
In order to encrypt a message you pick "Encrypt" from the "PEM..." menu of Sedit. It also adds a Pem-action header to your draft that is processed upon a Send. The Send will do a
secude pem encrypted -R -i smth -o smthElse -j -r recipients (-C)
Upon selecting "Encrypt" you should already have added all recipients of your draft. If you add recipients after having said "Encrypt", then say "Encrypt" again. Further: in order to let Send retrieve all certificates needed from your PSE, you will need to have an alias defining the mapping between the recipients' e-mail adresses and the certificates. The textual name of any recipient displayed in the Pem-action header must be an alias to the correct certificate for this person. An example:
If a full e-mail is fn.sn@org.co, valid recipients at org may include:
fn.sn@org.co (the full address)
fn.sn (because default domain is org.co)
userid (a person's login name)
If any of these forms can be present in the recipients part of the Pem-action header for a given person, then add this alias to your PSE using 'psemaint'. For persons external to your organisation you should need the full address alias only.
KNOWN BUGS:
If your certificate is expired, please do not try to sign or encrypt a
message before sending it. In this case SECUDE produces no output. An
empty message will be sent and the contents of your draft will be lost
forever.
Some distinctive messages may not be decrypted with "Keep PIN-code" enabled. If you disable "Keep PIN-code" however, you should be able to decode these as well. It is unclear what characterizes messages that cannot be decoded, but the problem is definitely caused by a bug in the PEM implementation.