[Gpg4win-devel] X509 Root certificates and trusting them
Bernhard Reiter
bernhard at intevation.de
Wed Sep 22 10:03:38 CEST 2010
Am Freitag, 21. Mai 2010 12:03:22 schrieb Bernhard Reiter:
> Just got more user feedback that people
> feel that S/MIME is not working because they do not manage to
>
> a) get root certificates to be trustworthy.
> b) do not disable crl checks when behind a bad firewall.
We have not made progress on this point, but we have to.
> It is my conviction that we should keep the allow-mark-trusted-option off
> by default as this already is the workaround. The recommended way for a
> production X509 /CMS system is that a list of trusted X509 root
> certificates is maintained by the administrator of the system
> directlty for dirmngr and possibly the global gpgsm.
>
> However users do not seem to find our already placed instructions
> for this. So what are our options to solve a)?
>
> i) Place information more prominently!
> Like: i.1) earlier in the readme,
> i.2) on the website while downloading
> i.3.) during the installer
> ii) Phrase instructions better at all places
> iii) improve the error message if that condition is met to point people
> towards the explanation.
> iv) possibly improve the certification manager to hint towards the
> condiation?
>
> Important: The recommended way must be explained and reasoned for.
You will have seen the search I've done under the topic
"X509 Root certificates and trusting them" the forth edition is current.
(It also mentions the more important "relax" keyword.)
> The workaround (using allow-mark-trusted) must also be explained
> as what it is: A workaround.
> Marcus, Emanuel, Werner, marc, can you please suggest improvements for
> i),ii),iii), iv)?
In my view we must implement all measures.
--
Managing Director - Owner: www.intevation.net (Free Software Company)
Deputy Coordinator Germany: fsfe.org. Board member: www.kolabsys.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3696 bytes
Desc: not available
Url : http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20100922/62cc1bf3/smime.bin
More information about the Gpg4win-devel
mailing list