[Kde-pim] S/MIME validation in kmail

Ingo Klöcker kloecker at kde.org
Sun Dec 7 14:48:39 GMT 2008 

On Sunday 07 December 2008, Nick Shaforostoff wrote:
> 2008/12/7 Ingo Klöcker <kloecker at kde.org>:
> > On Sunday 07 December 2008, Nick Shaforostoff wrote:
> >> Hi.
> >>
> >> Please tell me what's the relationship of underlined items:
> >> http://youonlylivetwice.info/kmail-crl.png
> >
> > Those two items (and all other items of the S/MIME Validation
> > configuration) correspond directly to configuration options of
> > gpgsm (which is used by KMail for handling all things related to
> > S/MIME):
> >
> > The two choices "Validate certificates using CRLs" and "Validate
> > certificates online (OCSP)" correspond to gpgsm's
> > option --enable-ocsp/--disable-ocsp. Quoting from [1]:
> >
> >  Be default OCSP checks are disabled. The enable option may be used
> > to enable OCSP checks via Dirmngr. If CRL checks are also enabled,
> > CRLs will be used as a fallback if for some reason an OCSP request
> > won't succeed. Note, that you have to allow OCSP requests in
> > Dirmngr's configuration too (option --allow-ocsp and configure
> > dirmngr properly. If you don't do so you will get the error code
> > `Not supported'.
> >
> >
> > The option "Never consult a CRL" corresponds to gpgsm's
> > option --enable-crl-checks/--disable-crl-checks. Quoting from [1]:
> >
> >  By default the CRL checks are enabled and the DirMngr is used to
> > check for revoked certificates. The disable option is most useful
> > with an off-line network connection to suppress this check.
>
> then it makes sense to move this option closer to OSCP one, and
> autodisable it when 'Validate certificates using CRLs' is checked:
> http://youonlylivetwice.info/kmail-crl-after.png
>
> ok for me to commit?

No. This way it wouldn't be possible anymore to disable checking of the 
validity of certificates (because for this one has to choose CRL 
checking and disable checking of CRLs; yes, it is confusing).

I think this needs a more radical change:
( ) Do not validate certificates (not recommended)
( ) Validate certificates using CRLs
( ) Validate certificates online (OCSP)         [ ] Check CRLs if OCSP 
request fails

The first option corresponds to --disable-crl-checks --disable-ocsp.
The second option corresponds to --enable-crl-checks --disable-ocsp.
The third option corresponds to --enable-ocsp with 
--enable-crl-checks/--disable-crl-checks depending on the state of the 
checkbox.


Anyway, before we make any of these changes we should check back with 
the Ägypten developers whether this change really makes sense. Marc, 
see http://kde.markmail.org/message/vr57bkuykzp22es6 for the whole 
thread.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20081207/a6f97d03/attachment.sig>
-------------- next part --------------
_______________________________________________
KDE PIM mailing list kde-pim at kde.org
https://mail.kde.org/mailman/listinfo/kde-pim
KDE PIM home page at http://pim.kde.org/

More information about the kde-pim mailing list