For de-vs mode it will be useful to distinguish between different Root CA. An additional flag along with a certchain compliance check can support this.
Description
Revisions and Commits
rG GnuPG | |||
rG6432d17385d0 agent: Fix detection of the trustflag de-vs. | |||
rGd9fdc165e657 agent: Fix detection of the trustflag de-vs. | |||
rG6ff13380a2e3 agent: Fix detection of the trustflag de-vs. | |||
rG6d45fcdd3c3e agent: Add trustlist flag "de-vs". | |||
rGa5360ae4c7bf agent: Add trustlist flag "de-vs". |
Related Objects
- Mentioned In
- T7289: Release GnuPG 2.5.2
T7030: Release GnuPG 2.4.6
Event Timeline
A use case for this is to allow the use of S/MIME for de-vs mode and for standard mode while clearly indicating compliant certificates. As of now all certificates matching compliant algorithms are indicated as compliant. The new flag could be used to distinguish between them.
The flag has been implemented in 2.4 but as long as this version has no approval it does not make sense to do anything more. Let's re-open this task if we have a real request for this.
Given that we backported it to gnupg22 we should go ahead and implement that flag. For example: if the flag is set for any root CA we will show compliance only if that flag is set for the specific root CA. This way we can introduce this feature w/o too much backward incompatibility. We could also hide the feature behind a compatibility flag. There is no reason why we should not add the de-vs trustlist flag to our vsd configuraion files, right away.