GpgOL: S/MIME Mails with invalid CRL's are not detected as signed when forwarding
Open, LowPublic

Description

It was reported that S/MIME Mails where the CRL is not available cannot be properly forwarded by GpgOL because of the EFail protection.

This needs to be investigated.

Details

Version
master

Related Objects

aheinecke created this task.Mon, Jul 1, 1:49 PM
werner added a subscriber: werner.Tue, Jul 2, 10:01 AM

See also T4538 which we can only fix in 2.2 after we have checked that this does not break the VS-NfD approval.

We need to know the issuers of the CRLs under question.

This issues is not really about the CRL's. GpgOL should not activate the EFail protection if a CRL check fails. That is the issue here.

aheinecke lowered the priority of this task from Normal to Low.Sun, Jul 14, 11:12 AM

Testing with the DGN certificate showed that GPGSM returns a signature verification error (invalid digest algorithm) in this case. So the signature summary is not even checked.

I would prefer to have a CRL Error in that case in the signature summary and the signature verification going through with an error. We should not be so super harsh with CRL errors but give the application a bit of freedom how to handle them.

I guess we can treat this as low priority though. And in this case it is really caused by T4538