[Gpg4win-devel] CA-certificates.crt

Colin Leroy colin at colino.net
Tue Dec 16 08:39:25 CET 2008


On Mon, 15 Dec 2008 17:31:18 +0100, Bernhard Reiter wrote:

Hi,

> > Regarding TLS/SSL, I think it would be best to use the certificates
> > which are already installed on a windows box.  I have not checked
> > whether there is an easy API to list them.  
> 
> I also consider this to be the right solution.
> I do not think we should ship a set of root certificates with gpg4win.

Even if there is an API to list root certificates on Windows, I'm not
sure Gnutls could handle it.

If you really think we shouldn't do that, I can remove it, but in my
opinion and experience, users are unprepared to see "Cannot verify
certificate" when their servers have verisign or thawte certificates,
all ethical issues aside. We had a lot of bug reports on the subject
when the IMAP implementation wasn't able to verify certificates, and
it's already an annoyance to explain when it's due to a technical
reason, so it'll be worse if it fails due to a choice.

-- 
Colin



More information about the Gpg4win-devel mailing list