Problem resolved !

Renamed;  pm-smime.fff [Dated: 11-15-2001]   to  pm-smime.fff.bak

This old utility was interfering!

; Form Fact File for S/MIME-Services to Pegasus Mail 32
; Copyright 1998 Michael in der Wiesche, all rights reserved.
; Modified in 2001 by Christian Biesinger for S/MIME Plugin
;
; -------------------------------------------------------------------------
; WARNING -- WARNING -- WARNING -- WARNING -- WARNING -- WARNING -- WARNING
; -------------------------------------------------------------------------
; WinPMail forms are executable code! You should never load forms onto your
; system unless you are absolutely certain of their pedigree, because they
; are a perfect vehicle for trojan horses.
;
; "Form flags" is a bitmap composed of the following bits:
;
;  Mnemonic     Value   Meaning
;  ----------------------------------------------------------------
;  WPM_STARTUP    1     Load the extension when WinPMail starts up
;  WPM_NOLIST     2     Do not show in the "Extensions" window list
;  WPM_HIDDEN     4     Hide the parent MDI window on loading
;  WPM_LOGGING    8     Extension wants to receive logging events
;  WPM_ONEONLY   16     Only allow one running instance at any time
;  WPM_FIRSTRUN  32     Autoload extension on first-ever WinPMail run
;  WPM_USES_TCP  64     Extension requires TCP/IP services to run

;WPM_CAN_ENCRYPT         = 256;   {  Module can encrypt messages }
;WPM_CAN_DECRYPT         = 512;   {  Module can decrypt messages }
;WPM_CAN_SIGN            = 1024; {  Module can add digital signatures to messages }
;WPM_CAN_VALIDATE        = 2048; {  Module can verify digital signatures }
;WPM_HAS_INTERFACE       = 4096; {  Module has a key management user interface }
;WPM_NEEDS_BURSTING      = 8192; {  Module requires one message per recipient }

; Needs Password         = 16384
; IS_V2_MODULE           = 32768

Form name = "S/MIME Plugin"
Form DLL = "~a\PMSMIME.DLL"
Form type = ENCRYPTOR
Form Flags = 128774
Form tagname = "SMIME-PM32"
Form triggers = "Content-Type:*application/x-pkcs7-mime*"
Form triggers = "Content-Type:*application/pkcs7-mime*"
Form triggers = "Content-Type:*multipart/signed*"
Form data = "CRYPTOR"
32-bit model = 1
End

Reference Usenet: Message-ID: <38u2v49n17p9s3m08u589fmvds52b6norq@4ax.com>

{ I PREFER Usenet ! }

I sent my self a digitally signed email. My recipient PC has all the chain's certificates in the certificate store.  However I get...

"However the issuer of the certificate used for signing could not be

verified"

I have all the needed certificates in the chain including the Root Certificate.  I even verified this.

[quote user="David H. Lipman"]

Reference Usenet: Message-ID: <38u2v49n17p9s3m08u589fmvds52b6norq@4ax.com>

{ I PREFER Usenet ! }

[/quote]

I know, but these days it looks like an antique in extinction ...

[quote user="David H. Lipman"]

"However the issuer of the certificate used for signing could not be

verified"

I have all the needed certificates in the chain including the Root Certificate.  I even verified this.

[/quote]

From my Usenet reply:

[quote user="idw"]

Well, the system itself is reporting this error, so something must be wrong: (...) Did you check the (issuer's) certificate resp. the certificate chain (manually, i.e. via button/menu entry, because it may take some time)?

The below URL displays the dialog you should get, does it show a similar message?

<http://technet.microsoft.com/en-us/library/cc962071.aspx>.

Maybe the issuer's certificate is not in the "Trusted Root Certificates" store, see <http://technet.microsoft.com/en-us/library/cc940384.aspx>.

Sorry, but certificate management (like key management with PGP) is a rather demanding issue if you don't use standard certificates issued by roots pre-installed by IE (I'm not saying I prefer it this way, it's just a matter of fact).
[/quote]

The automated verification is less strict in that it only checks the local certificate store for the certificate chain (which is usually included in the signed message anyway) and revocation lists etc. because otherwise you may have to wait until it times out before a message gets displayed. It shouldn't fail on verifying the (self-signed) root certificate, though, at least if it has been installed into your Trusted Root Certificates store.

If you've done this already can you please send a signed message to my personal email address (shown on the extension's "About ..." Dialog) so I can check this issue?

[quote user="idw"] I know, but these days it looks like an antique in extinction ...[/quote]

Yeah.  That SUCKS.

After years of Adobe hosting the AdobeForums.Com with NNTP access and forum hosting (actually unilateral feed to Usenet) they have turned off NNTP access and now use Jive software.  Man does that suck.  I will no longer participate as the front-end is slow as hell and is SOOOOO EXPLOITABLE.

I am so used to using one News Client and moving in/out of News Servers and groups.  It is PITA to have to load different web pages for different forums that have different front-ends that are slow a sh!t. 

US ISPs are dismantling Usenet over CP.  My ISP, Verizon, has dropped all but the Big-8 hierarchies and censor out the Binaries.  All thanx to NY Attorney General Cuomo .  other US ISPs have dropped Usenet access all together. [:@]

[quote user="idw"]

The automated verification is less strict in that it only checks the local certificate store for the certificate chain (which is usually included in the signed message anyway) and revocation lists etc. because otherwise you may have to wait until it times out before a message gets displayed. It shouldn't fail on verifying the (self-signed) root certificate, though, at least if it has been installed into your Trusted Root Certificates store.

If you've done this already can you please send a signed message to my personal email address (shown on the extension's "About ..." Dialog) so I can check this issue?

[/quote]

I have double, triple, verified that the Root Certs are in the Root Certificate Store.  In doing so last night I blocked my Smart Card and on Monday AM I have to reset my Smart Card [N]

Unless you have an email account in the US, I can not send you a signed email.

[quote user="David H. Lipman"]

I have double, triple, verified that the Root Certs are in the Root Certificate Store.  In doing so last night I blocked my Smart Card and on Monday AM I have to reset my Smart Card [N]

[/quote]

Sorry to hear ...

[quote user="David H. Lipman"]

Unless you have an email account in the US, I can not send you a signed email.

[/quote]

I don't. Unfortunately it's probably impossible to solve this issue theoretically: CAPICOM offers only two options for verifying, CAPICOM_VERIFY_SIGNATURE_ONLY (the one I use) and CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE which would take significantly longer. But if the former is really applied I don't quite understand why this error occurs at all. Would it be possible to get the issuer's certificate (a signed message is the easiest way, but you may just export it to file and send as an attachment)? This way I could take a look at the properties and compare it to other root certificates to see what's different (unless you're willing to do this).