diff options
| author | Daniel Kahn Gillmor <[email protected]> | 2016-10-27 22:30:58 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2016-11-17 14:29:35 +0000 |
| commit | 7c1613d41566f7d8db116790087de323621205fe (patch) | |
| tree | 7f600268106788a35f089a062af3783b0791595c /dirmngr/dirmngr.c | |
| parent | dirmngr: Register hkp-cacert even if the file doesn't exist yet (diff) | |
| download | gnupg-7c1613d41566f7d8db116790087de323621205fe.tar.gz gnupg-7c1613d41566f7d8db116790087de323621205fe.zip | |
dirmngr: Add system CAs if no hkp-cacert is given
* dirmngr/dirmngr.c (http_session_new): If the user isn't talking to
the HKPS pool, and they have not specified any hkp-cacert, then we
should default to the system CAs, rather than nothing.
* doc/dirmngr.texi: Document choice of CAs.
--
Consider three possible classes of dirmngr configuration:
a) no hkps:// keyserver URLs at all (communication with keyservers is
entirely in the clear)
b) hkps:// keyserver URLs, but no hkp-cacert directives
c) hkps:// keyserver URLs, and at least one hkp-cacert directive
class (a) provides no confidentiality of requests.
class (b) currently will never work because the server certificate
cannot be validated.
class (c) is currently supported as intended.
This patch allows users with configurations in class (b) to work as
most users expect (relying on the system certificate authorities),
without affecting users in classes (a) or (c).
Signed-off-by: Daniel Kahn Gillmor <[email protected]>
o minor indentation fix
- wk
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions