[Kde-pim] S/MIME validation in kmail

Bernhard Reiter bernhard at intevation.de
Fri Dec 12 12:00:03 GMT 2008 

Hi Ingo, Marc, All,

Am Mittwoch, 10. Dezember 2008 10:07:29 schrieb Marc Mutz:
> > I think this needs a more radical change:
> > ( ) Do not validate certificates (not recommended)
> > ( ) Validate certificates using CRLs
>
> () Validate certificates offline (CRLs)
>
> > ( ) Validate certificates online (OCSP)         [ ] Check CRLs if OCSP
> > request fails
>
> [] Fall back to CRLs when OCSP requests fail.
>
> Looks good. Bernhard? Agreed?

> > The first option corresponds to --disable-crl-checks --disable-ocsp.
> > The second option corresponds to --enable-crl-checks --disable-ocsp.
> > The third option corresponds to --enable-ocsp with
> > --enable-crl-checks/--disable-crl-checks depending on the state of the
> > checkbox.

Somehow this is too complicated for my taste, 
also the labels are too confusing.
Note that both CRL and OCSP check methods usually use the network connection,
so they are both "online" in a way.
Also checking for a revoked status of a certificate (and its chain) is just
a part of what is done during "validation". 

What about
  [] Enable OCSP checks 
  [] Enable CRL checks
this most clearly maps on the gpgsm options and gives all four combinations.

Now we need more explanation to guide the user, 
there are a few ways to do it, updated proposal:

   Checking revocation status of certificates
   [] Enable requests for single certificates via OCSP (tried first)
   [] Enable use of revocation lists (CRLs) 

If no method is enabled, we could blend in a warning close to the checkboxes
in the dialog:
	 Checking for revoked certificates disabled (highly discouraged)!

Best,
Bernhard


-- 
Managing Director - Owner: www.intevation.net       (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2620 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20081212/23a3e280/attachment.bin>
-------------- next part --------------
_______________________________________________
KDE PIM mailing list kde-pim at kde.org
https://mail.kde.org/mailman/listinfo/kde-pim
KDE PIM home page at http://pim.kde.org/

More information about the kde-pim mailing list