dirmngr trusted authorities
Andre Heinecke
aheinecke at intevation.de
Tue Jul 19 09:54:39 CEST 2016
Hi,
On Monday 18 July 2016 16:29:00 Daniel Kahn Gillmor wrote:
> according to its docs, dirmngr appears to look for X.509 certs as
> DER-encoded files named *.crt or *.der in /etc/gnupg/trusted-certs/ (for
> root authorities) and /etc/gnupg/extra-certs/ (for common intermediate
> authorities).
This is for GpgSM Certificates used for validation of CMS Certificates. I think
trusted-certificates also have the special role that they are used for CRL /
OCSP validation even if they are not marked as trusted in trustlist.txt
> however, in http_session_new() in dirmngr/http.c, it appears to also use
> gnutls_certificate_set_x509_system_trust() in some cases (though i
> haven't been able to follow the code well enough to understand
> specifically when).
This is for transport Certificates used for TLS / HTTPS but Yes I also don't
know how HKPS (which is basically https) plays in there or what the role of
hkp-cacert is.
> It seems awkward and potentially confusing to the user to have these two
> distinct validation schemes.
Which two are you referring to? HTTPS with System Certs and HKP-Cacert or the
difference between CMS and TLS validation? I see the following validation ways:
1. CMS: extra-certs / trusted-certs with trusted certs used for CRL / OCSP
2. CMS: trustlist.txt (either systemwide or user) + extra-certs trusted-certs
as "hidden repository of certificates that are imported when used" or keyring
3. TLS: hkp-cacert
4. TLS: GnuTLS "System store"
> I'd suggest that if the user doesn't supply any hkp-cacert config
> either on the command line or in dirmngr.conf (and they're not using
> the magic string hkps://hkps.pool.sks-keyservers.net/) and they've
> specified hkps, then it seems like using the gnutls's system_trust would
> be a reasonable default.
I agree, (Or if we ever get TLS on Windows I would want the Windows Store to
be used)
> If someone wants to explicitly not use the system trust, then they could
> set hkp-cacert to the empty string.
>
> Is there a way that we can simplify this for the user?
Your suggestions sounds reasonable to me regarding TLS. But with regards to
CMS certificates with extra-certs, trusted-certs I don't think that needs to be
simplified.
In the usual "one user" installation a user should just use Case 2 import the
certificates which are trusted. Extra-certs and trusted-certs are more for
instutional users that have dedicated people to set things up.
Regards,
Andre
--
Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160719/cf415c89/attachment-0001.sig>
More information about the Gnupg-devel
mailing list