GpgOL: Import x509 keys from configured servers automatically
Closed, ResolvedPublic


For OpenPGP we use --locate-key to import keys from a web key directory.

For S/MIME we have no such thing but because we have the hierarchical trust model we can import just any certificate from a configured X509 keyserver and if it is trusted for that address use it automatically.

aheinecke created this task.Oct 9 2018, 1:58 PM

This is how it looks like:

It should even work to fetch a new certificate if the old one was expired. As there is no default X500 keyserver I'm not much concerned about a privacy leak. But still it could be a big privacy leak considering the following situation:

Alice want's to send bob a mail but has no X509 key for him e.g. just OpenPGP. GpgOL would query all configured X509 keyservers for bob's key. So all the keyservers or someone watching the unencrypted ldap traffic would see that Alice is currently sending a mail to Bob.

Should definitely be a default off option.

rev. 1b37aa01cc67d942de06c882fd9d30d39866b111 turns it off by default and even with it enabled only searches the X509 servers if there is no OpenPGP key for this address already available and S/MIME is not the preferred protocol.

aheinecke closed this task as Resolved.Oct 9 2018, 3:11 PM

I think with this warning and default off I can live with this option as it is now.