CRL checking in dirmngr (Was: Re: [PATCH 2/3] dirmngr: add system CAs if no hkp-cacert is given)

Kristian Fiskerstrand kristian.fiskerstrand at
Fri Nov 4 23:52:07 CET 2016

On 10/31/2016 03:30 PM, Daniel Kahn Gillmor wrote:
> On Thu 2016-10-27 18:59:03 -0400, Kristian Fiskerstrand wrote:
>> On 10/28/2016 12:30 AM, Daniel Kahn Gillmor wrote:
>>> * dirmngr/dirmngr.c (http_session_new): if the user isn't talking to
>>>   the HKPS pool, and they have not specified any hkp-cacert, then we
>>>   should default to the system CAs, rather than nothing.
>>> * doc/dirmngr.texi: document choice of CAs.
>> I'm a bit ambiguous about this change. In Gentoo we currently have the
>> use of a system CA behind a user-selectable use flag for hkps but even
>> so the set of provided CAs is originating mostly from Mozilla.
>> As seen with the latest WoSign / StartCom issues, mozilla is not overly
>> concerned about third-party usage of the provided CA certificates, and
>> have more complex restrictions in place for NSS (e.g specific
>> notBeforeDate and OneCRL checking).

Since dirmngr already has CRL checking capabilities, at least OneCRL
checking is likely a good idea to implement. I'd also be nice if CRL is
checked for specific CA, e.g in the case of for

Kristian Fiskerstrand
Twitter: @krifisk
Public OpenPGP keyblock at hkp://
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Nosce te ipsum!
Know thyself!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161104/81bde0c2/attachment.sig>

More information about the Gnupg-devel mailing list