diff options
| author | Werner Koch <[email protected]> | 2011-12-07 15:15:15 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2011-12-07 15:15:15 +0000 |
| commit | 8a12a2000d82acfa881e8c18d028290100bf5e43 (patch) | |
| tree | 3e212fdf3888181fa70570580bf7dbed65e3756a /doc | |
| parent | Correct punctuation in the ChangeLog summary line. (diff) | |
| download | gnupg-8a12a2000d82acfa881e8c18d028290100bf5e43.tar.gz gnupg-8a12a2000d82acfa881e8c18d028290100bf5e43.zip | |
gpgsm: Add new validation model "steed".
* sm/gpgsm.h (VALIDATE_FLAG_STEED): New.
* sm/gpgsm.c (gpgsm_parse_validation_model): Add model "steed".
* sm/server.c (option_handler): Allow validation model "steed".
* sm/certlist.c (gpgsm_cert_has_well_known_private_key): New.
* sm/certchain.c (do_validate_chain): Handle the
well-known-private-key attribute. Support the "steed" model.
(gpgsm_validate_chain): Ditto.
* sm/verify.c (gpgsm_verify): Return "steed" in the trust status line.
* sm/keylist.c (list_cert_colon): Print the new 'w' flag.
--
This is the first part of changes to implement the STEED proposal as
described at http://g10code.com/steed.html . The idea for X.509 is
not to use plain self-signed certificates but certificates signed by a
dummy CA (i.e. one for which the private key is known). Having a
single CA as an indication for the use of STEED might help other X.509
implementations to implement STEED.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/DETAILS | 5 | ||||
| -rw-r--r-- | doc/gpgsm.texi | 9 |
2 files changed, 10 insertions, 4 deletions
diff --git a/doc/DETAILS b/doc/DETAILS index 2e6874e9a..ddf7438f5 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -58,6 +58,10 @@ record; gpg2 does this by default and the option is a dummy. u = The key is ultimately valid. This often means that the secret key is available, but any key may be marked as ultimately valid. + w = The key has a well known private part. + s = The key has special validity. This means that it + might be self-signed and expected to be used in + the STEED sytem. If the validity information is given for a UID or UAT record, it describes the validity calculated based on this @@ -347,6 +351,7 @@ more arguments in future versions. "pgp" for the standard PGP WoT. "shell" for the standard X.509 model. "chain" for the chain model. + "steed" for the STEED model. Note that we use the term "TRUST_" in the status names for historic reasons; we now speak of validity. diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index 8e25baf62..bdb03783e 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -451,10 +451,11 @@ address and the time when you verified the signature. @item --validation-model @var{name} @opindex validation-model This option changes the default validation model. The only possible -values are "shell" (which is the default) and "chain" which forces the -use of the chain model. The chain model is also used if an option in -the @file{trustlist.txt} or an attribute of the certificate requests it. -However the standard model (shell) is in that case always tried first. +values are "shell" (which is the default), "chain" which forces the +use of the chain model and "steed" for a new simplified model. The +chain model is also used if an option in the @file{trustlist.txt} or +an attribute of the certificate requests it. However the standard +model (shell) is in that case always tried first. @item --ignore-cert-extension @var{oid} @opindex ignore-cert-extension |