Ultimate trust

David Bremner david at tethera.net
Sun Mar 22 18:20:15 PDT 2020


Philip Hands <phil at hands.com> writes:

> Tomas Nordin <tomasn at posteo.net> writes:
>
>> Teemu Likonen <tlikonen at iki.fi> writes:
> ...
>>> I do this: I press "Yes" (to trust "ultimately") but then immediately go
>>> edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of
>>> that certificate authority's key fingerprint. It marks that key
>>> untrusted (because I really don't know). Then: "gpgconf --reload
>>> gpg-agent".
>>
>> OK, thanks. That already feels better, knowing I can revert this trust
>> easily like that. And some better understanding for whats going on.
>
> That seems like a UI bug to me -- I'd have thought that there should be
> a "No" button so that you can stop it repeatedly asking (presumably by
> automatically doing the same as the above manual procedure).
>
> Would anyone happen to know where that should be reported?
>
> I have a feeling that I'd want to default that to answering "No", and
> never see the prompt.

I think this is all about S/MIME and gpgsm. The issue with the delays
is  already reported to

 https://dev.gnupg.org/T3348

It can be worked around with "disable-crl-checks" in the gpgsm
config. But if you actually care about S/MIME messages that has some
drawbacks.

The more general question of asking people to trust the CA of some
random person on the internet seems crazy to me as well. I'm not sure,
maybe dkg has ideas about how to fix the UI issue from the notmuch side.

d



More information about the notmuch mailing list