In the wald forum it has been reported that GPGSM can't work with ocsp and or CRL checks enabled with a Spanish Governmental certificate chain.
https://wald.intevation.org/forum/forum.php?thread_id=2009&forum_id=21&group_id=11
I think this might be a missing feature / wishlist item related to T4118 but here the OCSP responder cert should be accepted probably because of id-pkix-ocsp-nocheck ?
This task is more about not forgetting that report and maybe improving gpgsm along the way.
Is using
ocsp-signer ./FILE
in dirmngr.conf with FILE being in ~/.gnupg and having a list of valid responder certificates a useful workaround? It is one of the suggested solution from rfc6960.
Good to know. I thought that ocsp-signer was only used if ocsp-responder is explitly set. I've suggested the workaround in the Message Board.
@werner what should the contents of the file look like?
I think they should contain the certificates in PEM format like:
-----BEGIN CERTIFICATE----- MIIFvjCCA6agAwIBAgIBDTANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJERTEY MBYGA1UECgwPSW50ZXZhdGlvbiBHbWJIMSEwHwYDVQQDDBhJbnRldmF0aW9uIEVt YWlsIENBIDIwMTYwHhcNMTgwMTE5MjA1NzMzWhcNMjAwMTE5MjA1NzMzWjBAMQsw ..... xBhxAKO+klmW0eBtHWwh9BCnlyH0r1YzvHMbH2PmOCqN6L6HelQHRLGgqJdM1/SH i29VL4yWffYFKfvhsin/S48lqYH3D5oBioT09iXy95qmGFjARs17OtHPBnzfmrti jHXHpNQHjXLVh34s9G/w8xZl+tQdM/d7taAsDx2j4kQ4Oq7GLU/FHGVMvGTC2Q9K MyJm04Kci7Sss2G/iJlgZntNqM0ISM3WuyrhAiOkHx2Eug== -----END CERTIFICATE-----
Is this correct? I was asked this on wald and I have no way ATM to test this.
The reporter said that it did not work for him.
As an additional note the OCSP signer selection in Kleopatra needs improvement.
werner,
I'm the spanish user. Are you also setting default ocsp responder option?
Setting only ocsp_signer doesn't worked, there are several CA's with diferent ocsp responders.