Created attachment 112210 [details] Report on Findings Dear KMail Team, some time ago we informed you about the errors we detected in KMail with respect to the certification path validation (Bug 385687) in the course of a project contracted out by the German Federal Office for Information Security. We have now written up our conclusive report on all findings within the project. We kindly ask you to review it with respect to the statements pertaining to your product and give us feedback within two weeks from today whether you have any objections against the publication of this document in its current form. Best Regards, Evangelos and Falko
The content of attachment 112210 [details] has been deleted for the following reason: Remove confidential report
Hello, Would you please share that report with the GnuPG Team ( https://www.gnupg.org/documentation/security.html ) Or in a mail to the gnupg-devel mailing list ? KMail is just a downstream user of GnuPG as I've written in 385687 Best Regards, Andre Heinecke P.S. What to do about this issue? Resolve as Upstream?
The report was sent to security@gnupg.org and I took over responsibility. In my opinion there is no need for any security action in KMail. In fact, KMail is looking very very good in that report with only a minor GUI issue about an expert / testing feature in Kleopatra raised.