mirror of
git://git.gnupg.org/gnupg.git
synced 2025-07-03 22:56:33 +02:00
sm: Consider certificates w/o CRL DP as valid.
* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP. * common/audit.c (proc_type_verify): Print "n/a" if a cert has no distribution point. * sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check. * sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New. (opts): Add option --enable-issuer-based-crl-check. (main): Set option. -- If the issuer does not provide a DP and the user wants such an issuer, we expect that a certificate does not need revocation checks. The new option --enable-issuer-based-crl-check can be used to revert to the old behaviour which requires that a suitable LDAP server has been configured to lookup a CRL by issuer. Signed-off-by: Werner Koch <wk@gnupg.org> (cherry picked from master)
This commit is contained in:
parent
bc7e56d9dc
commit
1424c12e4c
5 changed files with 34 additions and 0 deletions
|
@ -438,6 +438,14 @@ hold in the keybox. The suggested way of doing this is by using it
|
|||
along with the option @option{--with-validation} for a key listing
|
||||
command. This option should not be used in a configuration file.
|
||||
|
||||
@item --enable-issuer-based-crl-check
|
||||
@opindex enable-issuer-based-crl-check
|
||||
Run a CRL check even for certificates which do not have any CRL
|
||||
distribution point. This requires that a suitable LDAP server has
|
||||
been configured in Dirmngr and that the CRL can be found using the
|
||||
issuer. This option reverts to what GnuPG did up to version 2.2.20.
|
||||
This option is in general not useful.
|
||||
|
||||
@item --enable-ocsp
|
||||
@itemx --disable-ocsp
|
||||
@opindex enable-ocsp
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue