Bug 378781 - kleopatra: dialog asks for: trust new root-cert but displays only CN, no fingerprint, or other ways to check the root-cert
Summary: kleopatra: dialog asks for: trust new root-cert but displays only CN, no fing...
Status: RESOLVED UPSTREAM
Alias: None
Product: kleopatra
Classification: Applications
Component: general (show other bugs)
Version: 2.3.0
Platform: Neon Linux
: NOR normal
Target Milestone: ---
Assignee: Andre Heinecke
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-14 14:33 UTC by Achim Bohnet
Modified: 2017-04-18 13:15 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Achim Bohnet 2017-04-14 14:33:52 UTC
Once, when I started kleopatra, a dialog was shown that asked me if I want to trust the root cert for signing user certs.  Only the CN was displayed no finger print or a 'more ..' button that would point to more detailed key info.

Because the kleopatra window was not visible yet, it was a question that could not
decided at this moment, if the root key was really the one at:
https://www.pki.dfn.de/wurzelzertifikate/globalroot/#c15065

Please add 'finger print' or 'Detail ..' or whatever way to allows to verify that
the cert is really trustworth.

Achim
Comment 1 Andre Heinecke 2017-04-18 13:15:57 UTC
Hi,

Sorry for tossing the ball away but that sadly is not Kleopatra's fault. That dialog comes directly from the GnuPG System.

On the command line you get the same dialog:
export GNUPGHOME=$(mktemp -d)
curl http://cdp.pca.dfn.de/global-root-ca/pub/cacert/cacert_sha1.pem  | gpgsm --import
gpgsm --with-validation -k 

I'm actually against asking the user if a certificate is trusted or not. This should be an administrative decision or maybe available in the certificate details but imo 90% of users will just click the dialogs away.

Weirdly enough if you click yes in the first dialog you are asked in a second dialog to confirm the fingerprint. I believe the idea there is that you first are asked: Do you really want to trust "this CA". And in the second "Have you confirmed that "This Fingerprint" is correct.

The upstream tracker is https://dev.gnupg.org/