Public bug reported:
Binary package hint: gpgsm
gpgsm needs to trust the certificate authority that signed a certificate
in order to verify that certificate. For security purposes, gpg-agent
doesn't prompt users to add a CA to the trust list when it is first
encountered. However, gpgsm ships with an empty trust list. To make
matters worse, when a certificate is not verified because the CA is not
trusted, there is no error message that indicates the problem or the
solution.
Currently, the user has two options if she wants to use S/MIME: enable
trust marking in the gpg-agent configuration file and reboot, or
manually enter the CA fingerprints in the trust list. These steps are
not well documented, and it is difficult to even determine why S/MIME is
failing. S/MIME using gpgsm is essentially unusable for a typical user.
This could be avoided by shipping gpgsm with a trustlist.txt that
contains the fingerprints of root certificates for common authorities,
e.g. Thawte, Verisign, CACert, etc. I see no advantage to shipping an
empty trust list, as the average user already has these authorities
trusted is his browser.
I'm using Kubuntu Hardy.
** Affects: gnupg2 (Ubuntu)
Importance: Undecided
Status: New
** Tags: security
--
gpgsm should ship with a default trust list
https://bugs.launchpad.net/bugs/273625
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
