Page MenuHome GnuPG

Trust system's root CA for checking CRL issuers
Closed, ResolvedPublic

Description

In general gpgsm does not trust the system's root CA becuase there are just too many. Neither does dirmngr the system's certificates when it comes to checking the CRL issuer's certificate. Given that it is better to have a valid CRL than not being abale to consult a CRL, we should also trust the system's Root CA for CRL issuers.

With that the workaround of adding a system's root CA's fingerprint to the trustlist.txt won't be needed anymore.

Related Objects