[Gpg4win-devel] CA-certificates.crt

Werner Koch wk at gnupg.org
Mon Dec 15 11:41:29 CET 2008


On Sat, 13 Dec 2008 12:31, colin at colino.net said:

> I'd like to have an SSL certificate bundle in Gpg4win, so that GnuTLS
> could verify certificate chains and Claws Mail could present correct

I thought about this in the past but this is all a bit problematic: What
policy shall we use to install certificates?  Most vendors required that
you push some money over the table to include your root certificates,
clearly this is not an option.

Shall we include Verislime and Thawte?  Probably yes because they are
commonly.  OTOH, we support their business model by adding their root
certificates.

Shall we include CAcert?  I would say yes.  However some doubts have
been raised in the past about their security[1].

I even don't include the root certificates of the legally binding
qualified signature CA certificates in GnuPG.  The user should decide
what certificate to trust.

OTOH, for the average user it is not possible to check whether a given
root certificate is really trustworthy - which speaks a lot for
installing some root certificates by default.

Regarding TLS/SSL, I think it would be best to use the certificates
which are already installed on a windows box.  I have not checked
whether there is an easy API to list them.



Salam-Shalom,

   Werner



[1] Speaking of "security" in connection with the certification business
is in itself a little doubtful ;-).

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.




More information about the Gpg4win-devel mailing list