From c1270f06feda61ff864c485336d31db8a00cb56c Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 19 Nov 2007 16:32:05 +0000 Subject: Document --auto-issuer-key-retrieve. --- doc/ChangeLog | 5 +++++ doc/DETAILS | 1 + doc/gpgsm.texi | 13 ++++++++++++- 3 files changed, 18 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/ChangeLog b/doc/ChangeLog index 7a455df7a..1e276e2a3 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,8 @@ +2007-11-19 Werner Koch + + * gpgsm.texi (Certificate Options): Document + --auto-issuer-key-retrieve. + 2007-11-15 Werner Koch * gpg.texi (GPG Configuration): Add PINENTRY_USER_DATA. diff --git a/doc/DETAILS b/doc/DETAILS index 2d60aae6a..1582f6936 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -554,6 +554,7 @@ more arguments in future versions. 8 := "Policy mismatch" 9 := "Not a secret key" 10 := "Key not trusted" + 11 := "Missing certifciate" (e.g. intermediate or root cert.) Note that this status is also used for gpgsm's SIGNER command where it relates to signer's of course. diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index e98de1512..f9f783702 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -405,7 +405,7 @@ command. This option should not be used in a configuration file. @itemx --disable-ocsp @opindex enable-ocsp @opindex disable-ocsp -Be default @acronym{OCSP} checks are disabled. The enable opton may +Be default @acronym{OCSP} checks are disabled. The enable option may be used to enable OCSP checks via Dirmngr. If @acronym{CRL} checks are also enabled, CRLs will be used as a fallback if for some reason an OCSP request won't succeed. Note, that you have to allow OCSP @@ -413,6 +413,17 @@ requests in Dirmngr's configuration too (option @option{--allow-ocsp} and configure dirmngr properly. If you don't do so you will get the error code @samp{Not supported}. +@item --auto-issuer-key-retrieve +@opindex auto-issuer-key-retrieve +If a required certificate is missing while validating the chain of +certificates, try to load that certificate from an external location. +This usually means that Dirmngr is employed t search for the +certificate. Note that this option makes a "web bug" like behavior +possible. LDAP server operators can see which keys you request, so by +sending you a message signed by a brand new key (which you naturally +will not have on your local keybox), the operator can tell both your IP +address and the time when you verified the signature. + @item --validation-model @var{name} @opindex validation-model -- cgit v1.2.3