Maniphest T6963

Trust system's root CA for checking CRL issuers
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• werner
	Jan 26 2024, 1:04 PM

Tags

Subscribers

Description

In general gpgsm does not trust the system's root CA becuase there are just too many. Neither does dirmngr the system's certificates when it comes to checking the CRL issuer's certificate. Given that it is better to have a valid CRL than not being abale to consult a CRL, we should also trust the system's Root CA for CRL issuers.

With that the workaround of adding a system's root CA's fingerprint to the trustlist.txt won't be needed anymore.

Revisions and Commits

rG GnuPG
	rG4dc09bc5e7f3 dirmngr: For CRL issuer verification trust the system's root CA.
	rG935b5a49b416 dirmngr: For CRL issuer verification trust the system's root CA.

Related Objects

Mentioned In: T6849: Release GnuPG 2.2.43
T6960: Release GnuPG 2.4.5

Event Timeline

• werner triaged this task as Normal priority.Jan 26 2024, 1:04 PM

• werner created this task.

• werner moved this task from Backlog to WiP on the gnupg22 board.Jan 26 2024, 1:13 PM

• werner added a commit: rG935b5a49b416: dirmngr: For CRL issuer verification trust the system's root CA..Jan 26 2024, 1:13 PM

• werner added a commit: rG4dc09bc5e7f3: dirmngr: For CRL issuer verification trust the system's root CA..Jan 26 2024, 1:37 PM

• werner closed this task as Resolved.Jan 26 2024, 1:39 PM

• werner claimed this task.

• werner moved this task from WiP to gnupg-2.2.43 on the gnupg22 board.

• werner edited projects, added gnupg22 (gnupg-2.2.43); removed gnupg22.

• werner added a project: gnupg24 (gnupg-2.4.5).Mar 6 2024, 12:26 PM

• werner mentioned this in T6960: Release GnuPG 2.4.5.Mar 7 2024, 3:23 PM

• werner mentioned this in T6849: Release GnuPG 2.2.43.Tue, Apr 16, 9:47 AM