[PATCH GNUPG] sm: Search for qualified.txt at sysconfdir first

[Dirk-Willem van Gulik]

On 1 Sep 2017, at 12:39, Werner Koch <wk at gnupg.org> wrote:
> On Fri,  1 Sep 2017 08:24, alon.barlev at gmail.com said:
> 
>> The qualified.txt may be modified by the Administrator, hence this
>> artifact is a configuration. A product may provide sane defaults,
>> however, it should be possible for the Administrator to manage
> 
> The idea behind the qualified.txt is to cope with German signature law
> which originally demanded that all valid root certificates are at least
> registered at a federal agency (Bundesnetzagentur).  So this should be a
> pretty static thing and could be updated by updating the gnupg package.
> Later it turned out that getting hold of the actual list is in a secure
> way is impossible.  For example calling the support desk of one of the
> CA to ask for verification of the root certificate's fingerprint ended
> up in the support person reading to me the very same website I had in
> front of me - a web site I had directed that person to.  I conclude that
> this whole system is entirely bogus and, for other reasons; limited also
> by the the security of https certificates.

FWIIW - and limiting this to Germany - I’ve had considerable more luck with the Bundesambt for Sicherheir in der Informationstechnik (BSI) and extracting lists from the Bundesnetzagentur via that route. So that may be worth a try  - especially as one establshed - things work like clock work for years.

Mind you - these were *context* specific lists (e.g. for the Artz ausweiss) - rather than the sort of generic one needed by GPG. I suspect that the ‘trust is not transitive’ issue may get in the way for the latter.

Dw.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 223 bytes
Desc: Message signed with OpenPGP
URL: </pipermail/attachments/20170901/1a5f325a/attachment-0001.sig>