[Kde-pim] Review Request 124950: Kleo: Disable CRL checks for list all keys job

Andre Heinecke aheinecke at intevation.de
Fri Aug 28 09:33:41 BST 2015 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/124950/
-----------------------------------------------------------

(Updated Aug. 28, 2015, 8:33 a.m.)


Status
------

This change has been marked as submitted.


Review request for KDEPIM.


Changes
-------

Submitted with commit 94cad004c62f05ce47a471fb892ef4ffd513b317 by Andre Heinecke to branch master.


Bugs: 339385
    http://bugs.kde.org/show_bug.cgi?id=339385


Repository: kdepim


Description
-------

Not much code to review here but I'd like to get approval for this
as this is a functionalty change.

Also is it enough to bump the required gpgmepp version or do
I have to modify something else not to break kdesrc-build or the CI?

Rationale for this change:

On startup Kleopatra does a listAllKeysJob with validation
to get all certificates GnuPG knows about.

We need to list keys in keylist mode validate to
get trust and trustchain information for X509
certificates. By default this includes CRL / OCSP
checks. The new "offline" mode introduced with
gpgsm 2.1.6 allows us to list all keys with validation
but without consulting remote sources.

This speeds up the time until Kleopatra is usable
as an application or as an UI Server drastically
as CRL checks can be infinitley slow and old keyrings
with a lot of certificates might also include a lot
of broken CRL servers that would be queried until
the fetch operation times out.

While disabling CRL checks looks like less security
this should actually improve security as the usual
workaround for this Bug was to disable-crl checks completely.
Now they are still done when it's imporant
(once a certificate is actually used). Also validating the
complete keyring on startup might be considered a privacy leak,
but thats a general problem with CRLs.

This setting (like mode validate) does not affect OpenPGP keylisting.


While this is a bugfix it needs gpgme 1.6.0 (released yesterday)
and gnupg 2.1.6 to work so I don't think it should be backported.


Diffs
-----

  CMakeLists.txt e38216e 
  libkleo/backends/qgpgme/qgpgmebackend.cpp 02d451b 

Diff: https://git.reviewboard.kde.org/r/124950/diff/


Testing
-------

Using it myself for some time and it's part of gpg4win-2.2.5.


Thanks,

Andre Heinecke

_______________________________________________
KDE PIM mailing list kde-pim at kde.org
https://mail.kde.org/mailman/listinfo/kde-pim
KDE PIM home page at http://pim.kde.org/

More information about the kde-pim mailing list