Questions about OpenPGP best practices

Doug Barton dougb at dougbarton.us
Tue Feb 26 08:28:17 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/25/2013 11:10 PM, Daniel Kahn Gillmor wrote:
| On 02/25/2013 10:43 PM, Doug Barton wrote:
|> The Best Practices page you posted above actually suggests:
|>
|>    keyserver hkps://hkps.pool.sks-keyservers.net
|>    keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
|>
|> That worked for me, although I was a bit disappointed that placing the
|> cert at /etc/ssl/certs/ca.hkps.pool.sks-keyservers.net.cert didn't work
|> like all the docs said it should.
|
| which docs suggested that should work?

lots, this one for example:

https://help.ubuntu.com/community/GnuTLS

| what operating system are you expecting it to work for?

Ubuntu.

| if you're using debian or a debian-derived system like mint or ubuntu,
| and you want to add a CA to the "system trusted root store", you
| actually want to add the file with a .crt extension (not .cert) to
| /usr/local/share/ca-certificates/ and then run "update-ca-certificates"
| as the superuser.
|
| Please read:
|
|   /usr/share/doc/ca-certificates/README.Debian
|
| on your local system for more details.

Thanks. :)

|> Does anyone know where/how to place the cert file on the system so that
|> it can be called by demand, rather than having to specify it in the
|> gpg.conf?
|
| gpg's keyserver-option ca-cert-file's default for hkps is dependent on
| the TLS library libcurl linked to from libcurl in the handler in
| /usr/lib/gnupg/gpgkeys_hkp.  on debian systems right now, this is
| libgnutls26, which currently has no default root CAs.
|
| newer versions of gnutls have a standard default root CA set that maps
| to the system provided above by ca-certificates.
|
| If and when gnupg-curl builds against libgnutls28-dev (the next major
| API change in gnutls), it should adopt those changes.

So it sounds like what you're saying is that there is no hope for a
system-wide solution for hkps? I can live with the gpg.conf option, I
was mostly sort of curious about adding certs to my system since I have
other uses for that ability down the road.

Thanks again,

Doug

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQEcBAEBCAAGBQJRLGQRAAoJEFzGhvEaGryETSMH/j5JXo0N6CyM2vkWj68Yjtut
I37V1miuj8CgYocmxfVAmy9N0zhA2+Svt0fc/VwC/NvLpdEAyz93qJ9i7wuEMBTF
sgXhX0Ou9x+rni602bjAzhfCnn7gpO+co7yRGy8N4wPcgSIDpGVdAFfxIY1j2+ml
sTjQMVtNslOofAxBEuvalyEW3j4xY1rykXDhGAOJ5/JDm/1a9MXrTP/6cfhH0/IS
xlbe6qH0YMChTqGS9+T/y7SSZ+0lr6glA1HaIwk2msbMJbFLluNXSwWUcuyuQT/5
CQPwVAMuaeXu+g8CGWa17jK6CrUoudz8BVI9gUyRLHbmcA1g1bG7Vw0j1o1rR2Q=
=7l1x
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list