Home GnuPG
Diffusion GnuPG 7c1613d41566

dirmngr: Add system CAs if no hkp-cacert is given
7c1613d41566Unpublished
Actions

Unpublished Commit · Learn More

Not On Permanent Ref: This commit is not an ancestor of any permanent ref.

Description

dirmngr: Add system CAs if no hkp-cacert is given

* dirmngr/dirmngr.c (http_session_new): If the user isn't talking to
the HKPS pool, and they have not specified any hkp-cacert, then we
should default to the system CAs, rather than nothing.
* doc/dirmngr.texi: Document choice of CAs.

Consider three possible classes of dirmngr configuration:

a) no hkps:// keyserver URLs at all (communication with keyservers is

entirely in the clear)

b) hkps:// keyserver URLs, but no hkp-cacert directives

c) hkps:// keyserver URLs, and at least one hkp-cacert directive

class (a) provides no confidentiality of requests.

class (b) currently will never work because the server certificate
cannot be validated.

class (c) is currently supported as intended.

This patch allows users with configurations in class (b) to work as
most users expect (relying on the system certificate authorities),
without affecting users in classes (a) or (c).

o minor indentation fix

  • wk
  • Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Details

Provenance
dkgAuthored on Oct 28 2016, 12:30 AM
wernerCommitted on Nov 17 2016, 3:29 PM
Parents
rGc4e02a3b7ad6: dirmngr: Register hkp-cacert even if the file doesn't exist yet
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
dirmngr/
doc/

rG7c1613d41566

View Options

dirmngr/http.c

Loading...
View Options

doc/dirmngr.texi

Loading...