Message signing popups....

Achim Bohnet ach at mpe.mpg.de
Thu May 28 07:58:10 BST 2020 

On Wednesday, 27 May 2020 23:43:22 CEST René J.V. Bertin wrote:
> On Wednesday May 27 2020 23:11:44 Achim Bohnet wrote:
> 
> ...
> 
> >I've no slight idea why kleopatra or better GnuPG SMime does not trust
> >those root certificates like all   do.  IMHO this is a bug :-(
> >
> >> How am I supposed to know?
> >
> >I've no idea too.  Mozilla and Firefox carefully audits the
> >root-certificate and the web browser use them for all the trusted https
> >connections. Asking me if I know better than they do is quiet silly ;-)
> 
> I'm by no means an expert on this sort of thing, but AFAIK it's up to the
> system vendor or maintainer to keep these certificates up to date, at the
> store(s) that are used by applications that do not provide their own set of
> certificates (i.e. your web browsers). If your system isn't kept up to date
> as it should in this matter, it will end up running into unknown root
> certificates, and will have no other option than to ask you trust it.

You're right.  Trusting all root certs supplied via the distro vendor
from Mozilla & Google is not a good idea, because some root certs
were and will be kicked out of the trusted certs store in
/etc/ssl/certificates when they don't obey the quality rules of the Webengine
producers anymore.  Others are added.

So a better strategie maybe:

 * on start kleopatra checks if all x509 root certificates in ~/.gnupg are 
   also in /etc/ssl/certificates.  If not show a warning that the
   root cert was removed from there.

 * when a new mail with a yet untrusted root cert is received/read, check
   that it's in the list of root cert in /etc/ssl/certificates.  if yes
   tell this the user and ask [trust] [no thanks] if not warn the user
   it's not in the list in /etc/ssl/certificates  and if one really wants
   to trust them.  If user nevertheless agree, show him the verification
   dialogs for the experts that are used right now by kmail/kleopatra.


Achim

-- 
  To me vi is Zen.  To use vi is to practice zen. Every command is
  a koan. Profound to the user, unintelligible to the uninitiated.
  You discover truth everytime you use it.
                                      -- reddy at lion.austin.ibm.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4804 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kdepim-users/attachments/20200528/76899569/attachment.bin>

More information about the kdepim-users mailing list