Ubuntu

gpgsm should ship with a default trust list

Reported by Alex Midgley on 2008-09-23
2
Affects Status Importance Assigned to Milestone
gnupg2 (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: gpgsm

gpgsm needs to trust the certificate authority that signed a certificate in order to verify that certificate. For security purposes, gpg-agent doesn't prompt users to add a CA to the trust list when it is first encountered. However, gpgsm ships with an empty trust list. To make matters worse, when a certificate is not verified because the CA is not trusted, there is no error message that indicates the problem or the solution.

Currently, the user has two options if she wants to use S/MIME: enable trust marking in the gpg-agent configuration file and reboot, or manually enter the CA fingerprints in the trust list. These steps are not well documented, and it is difficult to even determine why S/MIME is failing. S/MIME using gpgsm is essentially unusable for a typical user.

This could be avoided by shipping gpgsm with a trustlist.txt that contains the fingerprints of root certificates for common authorities, e.g. Thawte, Verisign, CACert, etc. I see no advantage to shipping an empty trust list, as the average user already has these authorities trusted is his browser.

I'm using Kubuntu Hardy.

Reinhard Tartler (siretart) wrote :

perhaps we should integrate gnupg2 with the ca-certificates package.

Changed in gnupg2 (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers