For OpenPGP we use --locate-key to import keys from a web key directory.
For S/MIME we have no such thing but because we have the hierarchical trust model we can import just any certificate from a configured X509 keyserver and if it is trusted for that address use it automatically.
| rGTO Gpg4win-Tools | |||
| rGTO6ddbe7f12c0d Add option to search on X509 servers with warning | |||
| rO GpgOL | |||
| rO005910cd90a8 Import certs for s/mime autoresolve from keyserver | |||
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Resolved | • aheinecke | T4174 GpgOL: Import x509 keys from configured servers automatically | ||
| Resolved | • aheinecke | T4125 Gpg4win 3.1.4 |
This is how it looks like:
It should even work to fetch a new certificate if the old one was expired. As there is no default X500 keyserver I'm not much concerned about a privacy leak. But still it could be a big privacy leak considering the following situation:
Alice want's to send bob a mail but has no X509 key for him e.g. just OpenPGP. GpgOL would query all configured X509 keyservers for bob's key. So all the keyservers or someone watching the unencrypted ldap traffic would see that Alice is currently sending a mail to Bob.
Should definitely be a default off option.
rev. 1b37aa01cc67d942de06c882fd9d30d39866b111 turns it off by default and even with it enabled only searches the X509 servers if there is no OpenPGP key for this address already available and S/MIME is not the preferred protocol.
