[Kde-pim] Review Request 124950: Kleo: Disable CRL checks for list all keys job
Sandro Knauß
knauss at kolabsys.com
Fri Aug 28 08:51:48 BST 2015
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/124950/#review84514
-----------------------------------------------------------
Ship it!
Ship It!
- Sandro Knauß
On Aug. 27, 2015, 12:41 nachm., Andre Heinecke wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/124950/
> -----------------------------------------------------------
>
> (Updated Aug. 27, 2015, 12:41 nachm.)
>
>
> Review request for KDEPIM.
>
>
> Bugs: 339385
> http://bugs.kde.org/show_bug.cgi?id=339385
>
>
> Repository: kdepim
>
>
> Description
> -------
>
> Not much code to review here but I'd like to get approval for this
> as this is a functionalty change.
>
> Also is it enough to bump the required gpgmepp version or do
> I have to modify something else not to break kdesrc-build or the CI?
>
> Rationale for this change:
>
> On startup Kleopatra does a listAllKeysJob with validation
> to get all certificates GnuPG knows about.
>
> We need to list keys in keylist mode validate to
> get trust and trustchain information for X509
> certificates. By default this includes CRL / OCSP
> checks. The new "offline" mode introduced with
> gpgsm 2.1.6 allows us to list all keys with validation
> but without consulting remote sources.
>
> This speeds up the time until Kleopatra is usable
> as an application or as an UI Server drastically
> as CRL checks can be infinitley slow and old keyrings
> with a lot of certificates might also include a lot
> of broken CRL servers that would be queried until
> the fetch operation times out.
>
> While disabling CRL checks looks like less security
> this should actually improve security as the usual
> workaround for this Bug was to disable-crl checks completely.
> Now they are still done when it's imporant
> (once a certificate is actually used). Also validating the
> complete keyring on startup might be considered a privacy leak,
> but thats a general problem with CRLs.
>
> This setting (like mode validate) does not affect OpenPGP keylisting.
>
>
> While this is a bugfix it needs gpgme 1.6.0 (released yesterday)
> and gnupg 2.1.6 to work so I don't think it should be backported.
>
>
> Diffs
> -----
>
> CMakeLists.txt e38216e
> libkleo/backends/qgpgme/qgpgmebackend.cpp 02d451b
>
> Diff: https://git.reviewboard.kde.org/r/124950/diff/
>
>
> Testing
> -------
>
> Using it myself for some time and it's part of gpg4win-2.2.5.
>
>
> Thanks,
>
> Andre Heinecke
>
>
_______________________________________________
KDE PIM mailing list kde-pim at kde.org
https://mail.kde.org/mailman/listinfo/kde-pim
KDE PIM home page at http://pim.kde.org/
More information about the kde-pim
mailing list