From 74d344a521c8a7a294b8da2cf2647e112fd5b310 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 10 Aug 2007 16:52:05 +0000 Subject: Implemented the chain model for X.509 validation. --- doc/ChangeLog | 4 ++++ doc/DETAILS | 31 ++++++++++++++++++++----------- doc/gpgsm.texi | 14 +++++++++++++- doc/specify-user-id.texi | 2 +- 4 files changed, 38 insertions(+), 13 deletions(-) (limited to 'doc') diff --git a/doc/ChangeLog b/doc/ChangeLog index a176a04c4..69f028c3c 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,7 @@ +2007-08-09 Werner Koch + + * gpgsm.texi (Certificate Options): Describe --validation-model. + 2007-07-23 Werner Koch * scdaemon.texi (Scdaemon Commands): Remove obsolete --print-atr. diff --git a/doc/DETAILS b/doc/DETAILS index ca5f346aa..2d60aae6a 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -253,8 +253,8 @@ more arguments in future versions. presence of the letter 'T' inside. VALIDSIG - [ - ] + + [ ] The signature with the keyid is good. This is the same as GOODSIG but has the fingerprint as the argument. Both status @@ -269,8 +269,9 @@ more arguments in future versions. useful to get back to the primary key without running gpg again for this purpose. - The optional parameters are used for OpenPGP and are not - available for CMS signatures. + The primary-key-fpr parameter is used for OpenPGP and not + available for CMS signatures. The sig-version as well as the + sig class is not defined for CMS and currently set to 0 and 00. Note, that *-TIMESTAMP may either be a number with seconds since epoch or an ISO 8601 string which can be detected by the @@ -310,13 +311,21 @@ more arguments in future versions. TRUST_UNDEFINED - TRUST_NEVER - TRUST_MARGINAL - TRUST_FULLY - TRUST_ULTIMATE - For good signatures one of these status lines are emitted - to indicate how trustworthy the signature is. The error token - values are currently only emitted by gpgsm. + TRUST_NEVER + TRUST_MARGINAL [0 []] + TRUST_FULLY [0 []] + TRUST_ULTIMATE [0 []] + For good signatures one of these status lines are emitted to + indicate how trustworthy the signature is. The error token + values are currently only emitted by gpgsm. VALIDATION_MODEL + describes the algorithm used to check the validity of the key. + The default is the standard gpg Web of Trust model respective + the standard X.509 model. The defined values are + + "pgp" for the standard PGP WoT. + "shell" for the standard X.509 model. + "chain" for the chain model. + PKA_TRUST_GOOD PKA_TRUST_BAD diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index 23e88afeb..38b35364c 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -412,6 +412,17 @@ requests in Dirmngr's configuration too (option @option{--allow-ocsp} and configure dirmngr properly. If you don't do so you will get the error code @samp{Not supported}. + +@item --validation-model @var{name} +@opindex validation-model +This option changes the default validation model. The only possible +values are "shell" (which is the default) and "chain" which forces the +use of the chain model. The chain model is also used if an option in +the @file{trustlist.txt} or an attribute of the certificate requests it. +However the standard model (shell) is in that case always tried first. + + + @end table @c ******************************************* @@ -550,7 +561,8 @@ encryption. For convenience the strings @code{3DES}, @code{AES} and @opindex faked-system-time This option is only useful for testing; it sets the system time back or forth to @var{epoch} which is the number of seconds elapsed since the year -1970. +1970. Alternativly @var{epoch} may be given as a full ISO time string +(e.g. "20070924T154812"). @item --with-ephemeral-keys @opindex with-ephemeral-keys diff --git a/doc/specify-user-id.texi b/doc/specify-user-id.texi index 0b615b657..0929a10f8 100644 --- a/doc/specify-user-id.texi +++ b/doc/specify-user-id.texi @@ -122,7 +122,7 @@ This should return the Root cert of the issuer. See note above. @item By exact match on serial number and issuer's DN. This is indicated by a hash mark, followed by the hexadecmal -representation of the serial number, the followed by a slash and the +representation of the serial number, then followed by a slash and the RFC-2253 encoded DN of the issuer. See note above. @cartouche -- cgit v1.2.3