Message signing popups....

Ingo Klöcker kloecker at kde.org
Thu May 28 21:37:52 BST 2020 

On Mittwoch, 27. Mai 2020 23:11:44 CEST Achim Bohnet wrote:
> On Wednesday, 27 May 2020 10:55:06 CEST Ian Douglas wrote:
> > On Tuesday, 26 May 2020 17:55:02 SAST Achim Bohnet wrote:
> > > Achim
> > 
> > Achim's message produces the attached popup (and another one asking
> > similar
> > things afterwards). The second one wanted me to verify the signature.
> 
> Hi Ian,
> 
> My mails are signed by an 'official' X509 certificate. i.e. not self signed.
> This implies that the certificate has a chain of signing certificates that
> end in a root-certificate.  The popup ask you if you want to trust this
> root certificate.
> 
> Mozilla and  Google maintain a collection of well-known and trusted root-
> certificates (the root cert of my certificate is included there).
> I've no slight idea why kleopatra or better GnuPG SMime does not trust those
> root certificates like all   do.  IMHO this is a bug :-(

This is no bug. This is on purpose. The list of root certificates that GnuPG 
considers as trusted is independent of the list of trusted certificates that 
comes with most distros. The list used by GnuPG is stored in 
~/.gnupg/trustlist.txt and it is empty by default, i.e. by default GnuPG does 
not trust any root certificates. That's on purpose.

The centralized PKI system is broken by design. Repeatedly, "trusted" 
certificate authorities (CAs) have been tricked by criminals or forced by 
governmental institutions to issue certificates for domains of other 
organizations. For example, there are multiple fake certificates for the 
domain google.com that were issued by "trusted" CAs. Conclusion: If your life 
depends on it, then you better do not trust any CAs by default.

Mozilla and Google (resp. the distributions) chose to live with this problem 
(and, in the meantime, there are mitigations in place for browsers to prevent 
trusted certificates issued by wrong CAs). GnuPG which is certified by the 
German BSI for usage for confidential data by governmental institutions chose 
not to risk lives (literally) by trusting any CAs.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kdepim-users/attachments/20200528/5fe5af71/attachment.sig>

More information about the kdepim-users mailing list