[Kde-pim] S/MIME validation in kmail

Marc Mutz marc at kdab.net
Wed Dec 10 09:07:29 GMT 2008 

On Sunday December 7 2008, Ingo Klöcker wrote:
> On Sunday 07 December 2008, Nick Shaforostoff wrote:
> > 2008/12/7 Ingo Klöcker <kloecker at kde.org>:
> > > On Sunday 07 December 2008, Nick Shaforostoff wrote:
> > >> Hi.
> > >>
> > >> Please tell me what's the relationship of underlined items:
> > >> http://youonlylivetwice.info/kmail-crl.png
> > >
> > > Those two items (and all other items of the S/MIME Validation
> > > configuration) correspond directly to configuration options of
> > > gpgsm (which is used by KMail for handling all things related to
> > > S/MIME):
> > >
> > > The two choices "Validate certificates using CRLs" and "Validate
> > > certificates online (OCSP)" correspond to gpgsm's
> > > option --enable-ocsp/--disable-ocsp. Quoting from [1]:
> > >
> > >  Be default OCSP checks are disabled. The enable option may be used
> > > to enable OCSP checks via Dirmngr. If CRL checks are also enabled,
> > > CRLs will be used as a fallback if for some reason an OCSP request
> > > won't succeed. Note, that you have to allow OCSP requests in
> > > Dirmngr's configuration too (option --allow-ocsp and configure
> > > dirmngr properly. If you don't do so you will get the error code
> > > `Not supported'.
> > >
> > >
> > > The option "Never consult a CRL" corresponds to gpgsm's
> > > option --enable-crl-checks/--disable-crl-checks. Quoting from [1]:
> > >
> > >  By default the CRL checks are enabled and the DirMngr is used to
> > > check for revoked certificates. The disable option is most useful
> > > with an off-line network connection to suppress this check.
> >
> > then it makes sense to move this option closer to OSCP one, and
> > autodisable it when 'Validate certificates using CRLs' is checked:
> > http://youonlylivetwice.info/kmail-crl-after.png
> >
> > ok for me to commit?
>
> No. This way it wouldn't be possible anymore to disable checking of the
> validity of certificates (because for this one has to choose CRL
> checking and disable checking of CRLs; yes, it is confusing).
>
> I think this needs a more radical change:
> ( ) Do not validate certificates (not recommended)
> ( ) Validate certificates using CRLs

() Validate certificates offline (CRLs)

> ( ) Validate certificates online (OCSP)         [ ] Check CRLs if OCSP
> request fails

[] Fall back to CRLs when OCSP requests fail.

Looks good. Bernhard? Agreed?

Thanks,
Marc

>
> The first option corresponds to --disable-crl-checks --disable-ocsp.
> The second option corresponds to --enable-crl-checks --disable-ocsp.
> The third option corresponds to --enable-ocsp with
> --enable-crl-checks/--disable-crl-checks depending on the state of the
> checkbox.
>
>
> Anyway, before we make any of these changes we should check back with
> the Ägypten developers whether this change really makes sense. Marc,
> see http://kde.markmail.org/message/vr57bkuykzp22es6 for the whole
> thread.
>
>
> Regards,
> Ingo



-- 
Marc Mutz - marc at kdab.com, mutz at kde.org - Klarälvdalens Datakonsult AB
Platform-independent software solutions - www.kdab.com info at kdab.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 206 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20081210/b98496dc/attachment.sig>
-------------- next part --------------
_______________________________________________
KDE PIM mailing list kde-pim at kde.org
https://mail.kde.org/mailman/listinfo/kde-pim
KDE PIM home page at http://pim.kde.org/

More information about the kde-pim mailing list