dirmngr trusted authorities

Andre Heinecke aheinecke at intevation.de
Tue Jul 19 09:54:39 CEST 2016


On Monday 18 July 2016 16:29:00 Daniel Kahn Gillmor wrote:
> according to its docs, dirmngr appears to look for X.509 certs as
> DER-encoded files named *.crt or *.der in /etc/gnupg/trusted-certs/ (for
> root authorities) and /etc/gnupg/extra-certs/ (for common intermediate
> authorities).

This is for GpgSM Certificates used for validation of CMS Certificates. I think 
trusted-certificates also have the special role that they are used for CRL / 
OCSP validation even if they are not marked as trusted in trustlist.txt

> however, in http_session_new() in dirmngr/http.c, it appears to also use
> gnutls_certificate_set_x509_system_trust() in some cases (though i
> haven't been able to follow the code well enough to understand
> specifically when).

This is for transport Certificates used for TLS / HTTPS but Yes I also don't 
know how HKPS (which is basically https) plays in there or what the role of 
hkp-cacert is.

> It seems awkward and potentially confusing to the user to have these two
> distinct validation schemes.

Which two are you referring to? HTTPS with System Certs and HKP-Cacert or the 
difference between CMS and TLS validation? I see the following validation ways:

1. CMS: extra-certs / trusted-certs with trusted certs used for CRL / OCSP
2. CMS: trustlist.txt (either systemwide or user) + extra-certs trusted-certs 
as "hidden repository of certificates that are imported when used" or keyring
3. TLS: hkp-cacert
4. TLS: GnuTLS "System store"

> I'd suggest that if the user doesn't supply any hkp-cacert config
> either on the command line or in dirmngr.conf (and they're not using
> the magic string hkps://hkps.pool.sks-keyservers.net/) and they've
> specified hkps, then it seems like using the gnutls's system_trust would
> be a reasonable default.

I agree, (Or if we ever get TLS on Windows I would want the Windows Store to 
be used)

> If someone wants to explicitly not use the system trust, then they could
> set hkp-cacert to the empty string.
> Is there a way that we can simplify this for the user?

Your suggestions sounds reasonable to me regarding TLS. But with regards to 
CMS certificates with extra-certs, trusted-certs I don't think that needs to be 

In the usual "one user" installation a user should just use Case 2 import the 
certificates which are trusted. Extra-certs and trusted-certs are more for 
instutional users that have dedicated people to set things up.


Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160719/cf415c89/attachment-0001.sig>

More information about the Gnupg-devel mailing list