[Gpg4win-devel] X509 Root certificates and trusting them
Bernhard Reiter
bernhard at intevation.de
Fri May 21 12:03:22 CEST 2010
Just got more user feedback that people
feel that S/MIME is not working because they do not manage to
a) get root certificates to be trustworthy.
b) do not disable crl checks when behind a bad firewall.
It is my conviction that we should keep the allow-mark-trusted-option off by
default as this already is the workaround. The recommended way for a
production X509 /CMS system is that a list of trusted X509 root certificates
is maintained by the administrator of the system
directlty for dirmngr and possibly the global gpgsm.
However users do not seem to find our already placed instructions
for this. So what are our options to solve a)?
i) Place information more prominently!
Like: i.1) earlier in the readme,
i.2) on the website while downloading
i.3.) during the installer
ii) Phrase instructions better at all places
iii) improve the error message if that condition is met to point people
towards the explanation.
iv) possibly improve the certification manager to hint towards the condiation?
Important: The recommended way must be explained and reasoned for.
The workaround (using allow-mark-trusted) must also be explained
as what it is: A workaround.
Marcus, Emanuel, Werner, marc, can you please suggest improvements for
i),ii),iii), iv)?
Best,
Bernhard
--
Managing Director - Owner: www.intevation.net (Free Software Company)
Deputy Coordinator Germany: fsfe.org. Board member: www.kolabsys.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2620 bytes
Desc: not available
Url : http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20100521/8990b8c2/smime.bin
More information about the Gpg4win-devel
mailing list