[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kdepim-users
Subject:    Re: [kdepim-users] KMail and certificates
From:       Ingo =?utf-8?q?Kl=C3=B6cker?= <kloecker () kde ! org>
Date:       2006-07-31 17:26:16
Message-ID: 200607311926.36812 () erwin ! ingo-kloecker ! de
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Monday 31 July 2006 17:30, Andy Pepperdine wrote:
> On Monday 31 July 2006 13:18, Ingo Klöcker wrote:
> > Am Montag, 31. Juli 2006 12:39 schrieb Andy Pepperdine:
> > > On Monday 31 July 2006 10:56, Ingo Klöcker wrote:
> > > > Am Montag, 31. Juli 2006 10:45 schrieb Andy Pepperdine:
> > Download the Class 1 and the Class 3 Root Certificates (in PEM
> > format) from http://www.cacert.org/index.php?id=3 and then import
> > them into Kleopatra.
>
> These now seem to be in Kleopatra, and all chains are complete -
> after I did a log out and in, and then I found a validate menu entry.

Yeah, sorry. I should have told you about validate.

> > > > Additionally, you have to tell Kleopatra that
> > > > you want to trust this root certificate. To do this you have to
> > > > add the key to the file ~/.gnupg/trustlist.txt. Have a look at
> > > > http://jdurand.home.cern.ch/jdurand/cern_ca_and_mail/ (search
> > > > for "Trusting keys").
> > >
> > > That talks about signing. But I'm just receiving from someone
> > > else. Why is it relevant?
> >
> > Because otherwise KMail will not trust the certificate and thus
> > won't validate any signatures.
>
> OK. I've tried to follow those instructions, but there was no change
> to the validation status of the message in question. So, how do I
> tell whether a key is trusted? I'm guessing that it is the line in
> the Additional Information for Key labelled: Can be used for
> authentication.
> Is that right? The line says No.

Nope.

> The difficulty with the CERN paper is that it refers to a fingerprint
> (which appears in the Details tab), but also refers to the :
> separator (which only occurs in the Dump tab, where there is no
> fingerprint, but various other numbers. I used the Details tab
> Fingerprint, and appended an S

I have just added the following two lines to ~/.gnupg/trustlist.txt (the 
first line is just an optional comment):

# CN=CA Cert Signing Authority,EMAIL=support@cacert.org,OU=http://www.cacert.org,O=Root CA
135CEC36F49CB8E93B1AB270CD80884676CE8F33 S

After that you have to make gpg-agent aware of the changes. I did this 
by running "killall -HUP gpg-agent". Afterwards a message signed with a 
certificate issued by CAcert.org is verified correctly (for me).

> > Having said this there's of course room for improvements. One
> > improvement that happens with web browsers is that they do already
> > come with the root certificates of some trusted issuers of
> > certificates. Therefore your browser does already trust a lot of
> > websites that use certificates issued by those certification
> > authorities. AFAIK CAcert.org is trying to convince the browser
> > developers to include their root certificate. I don't know how far
> > they've got until now.
>
> Do I understand this correctly? Browsers are issued with some keys
> that they trust built in.

Yes.

> But the point about security is that I 
> should be responsible for all my own security. So will it explicitly
> ask me whether it should trust such a key when it finds one the first
> time before accepting it? Or have I already unknowingly accepted some 
> trust mechanism I knew nothing about?

Depending on the browser you are using you are trusting certain 
certificate authorities by default. The browser manufactures have 
hopefully done their homework and have checked the authenticity of the 
root certificates. Many websites use certificates which have been issued 
by one of the trusted CAs. Therefore you are not asked whether you want 
to trust them. With https://bugs.kde.org this is different because we 
don't use a certificate which was issued by one of the well-known CAs. 
So for this website you are asked whether you want to trust the 
certificate.

> Surely I ought to say who I 
> will trust; but by all means allow the browser to select the keys
> from known places to present to me for approval through an
> intelligent dialog. And how easy is it to add to a browser new keys
> it needs?

You mean how easy is it for you? It's trivial. If the browser encounters 
an unknown certificate which can't be verified using one of the 
available root certificates then the browser will ask you whether you 
want to accept it. Konqueror gives you the choice between "Only for this 
session" or "Forever". If you choose "Forever" then the certificate will 
be stored by Konqueror. It should be very similar with other browsers.

If you mean how easy is it to add a root certificate to the official 
release version of a browser then I can't answer this question. But it's 
not really easy.

Regards,
Ingo

[Attachment #5 (application/pgp-signature)]

_______________________________________________
KDE PIM users mailing list
kdepim-users@kde.org
https://mail.kde.org/mailman/listinfo/kdepim-users


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic