Page MenuHome GnuPG

Add compliance flag to trustlist.txt
Open, HighPublic

Description

For de-vs mode it will be useful to distinguish between different Root CA. An additional flag along with a certchain compliance check can support this.

Event Timeline

werner lowered the priority of this task from High to Normal.Sep 9 2021, 3:08 PM
werner raised the priority of this task from Normal to High.Jun 7 2022, 4:06 PM
werner added a project: Restricted Project.

A use case for this is to allow the use of S/MIME for de-vs mode and for standard mode while clearly indicating compliant certificates. As of now all certificates matching compliant algorithms are indicated as compliant. The new flag could be used to distinguish between them.

werner removed a project: gnupg (gpg23).
werner moved this task from Backlog to WiP on the gnupg24 board.
werner edited projects, added gnupg24 (gnupg-2.4.1); removed gnupg24.

The flag has been implemented in 2.4 but as long as this version has no approval it does not make sense to do anything more. Let's re-open this task if we have a real request for this.

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jul 24 2023, 2:12 PM

Given that we backported it to gnupg22 we should go ahead and implement that flag. For example: if the flag is set for any root CA we will show compliance only if that flag is set for the specific root CA. This way we can introduce this feature w/o too much backward incompatibility. We could also hide the feature behind a compatibility flag. There is no reason why we should not add the de-vs trustlist flag to our vsd configuraion files, right away.