gpgsm should ship with a default trust list

Bug #273625 reported by Alex Midgley
Affects Status Importance Assigned to Milestone
gnupg2 (Ubuntu)

Bug Description

Binary package hint: gpgsm

gpgsm needs to trust the certificate authority that signed a certificate in order to verify that certificate. For security purposes, gpg-agent doesn't prompt users to add a CA to the trust list when it is first encountered. However, gpgsm ships with an empty trust list. To make matters worse, when a certificate is not verified because the CA is not trusted, there is no error message that indicates the problem or the solution.

Currently, the user has two options if she wants to use S/MIME: enable trust marking in the gpg-agent configuration file and reboot, or manually enter the CA fingerprints in the trust list. These steps are not well documented, and it is difficult to even determine why S/MIME is failing. S/MIME using gpgsm is essentially unusable for a typical user.

This could be avoided by shipping gpgsm with a trustlist.txt that contains the fingerprints of root certificates for common authorities, e.g. Thawte, Verisign, CACert, etc. I see no advantage to shipping an empty trust list, as the average user already has these authorities trusted is his browser.

I'm using Kubuntu Hardy.

Tags: security
Revision history for this message
Reinhard Tartler (siretart) wrote :

perhaps we should integrate gnupg2 with the ca-certificates package.

Changed in gnupg2 (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.