* options.h, gpg.c (main, parse_trust_model), pkclist.c

(check_signatures_trust), mainproc.c (check_sig_and_print,
pka_uri_from_sig), trustdb.c (init_trustdb): Some tweaks to PKA so that it
is a verify-option now.

g10/ChangeLog

@@ -1,3 +1,10 @@
+2006-03-07  David Shaw  <dshaw@jabberwocky.com>
+
+	* options.h, gpg.c (main, parse_trust_model), pkclist.c
+	(check_signatures_trust), mainproc.c (check_sig_and_print,
+	pka_uri_from_sig), trustdb.c (init_trustdb): Some tweaks to PKA so
+	that it is a verify-option now.
+
 2006-03-07  Werner Koch  <wk@g10code.com>
 
 	* mainproc.c (proc_signature_packets): Return any_sig_seen to caller.

g10/gpg.c

@@ -243,7 +243,6 @@ enum cmd_and_opt_values
     oAlwaysTrust,
     oTrustModel,
     oForceOwnertrust,
-    oAllowPkaLookup,
     oRunAsShmCP,
     oSetFilename,
     oForYourEyesOnly,
@@ -601,7 +600,6 @@ static ARGPARSE_OPTS opts[] = {
     { oAlwaysTrust, "always-trust", 0, "@"},
     { oTrustModel, "trust-model", 2, "@"},
     { oForceOwnertrust, "force-ownertrust", 2, "@"},
-    { oAllowPkaLookup,  "allow-pka-lookup", 0, "@" },
     { oRunAsShmCP, "run-as-shm-coprocess", 4, "@" },
     { oSetFilename, "set-filename", 2, "@" },
     { oForYourEyesOnly, "for-your-eyes-only", 0, "@" },
@@ -1452,7 +1450,6 @@ gpgconf_list (const char *configfile)
   printf ("quiet:%lu:\n",   GC_OPT_FLAG_NONE);
   printf ("keyserver:%lu:\n", GC_OPT_FLAG_NONE);
   printf ("reader-port:%lu:\n", GC_OPT_FLAG_NONE);
-  printf ("allow-pka-lookup:%lu:\n", GC_OPT_FLAG_NONE);
 }
 
 
@@ -1608,47 +1605,20 @@ collapse_args(int argc,char *argv[])
 static void
 parse_trust_model(const char *model)
 {
-  opt.pka_trust_increase = 0;
   if(ascii_strcasecmp(model,"pgp")==0)
-    {
     opt.trust_model=TM_PGP;
-    }
-  else if(ascii_strcasecmp(model,"pgp+pka")==0)
-    {
-      opt.trust_model=TM_PGP;
-      opt.pka_trust_increase = 1;
-    }
   else if(ascii_strcasecmp(model,"classic")==0)
-    {
     opt.trust_model=TM_CLASSIC;
-    }
   else if(ascii_strcasecmp(model,"always")==0)
-    {
     opt.trust_model=TM_ALWAYS;
-    }
   else if(ascii_strcasecmp(model,"direct")==0)
-    {
     opt.trust_model=TM_DIRECT;
-    }
-  else if(ascii_strcasecmp(model,"direct+pka")==0)
-    {
-      opt.trust_model=TM_DIRECT;
-      opt.pka_trust_increase = 1;
-    }
   else if(ascii_strcasecmp(model,"auto")==0)
-    {
     opt.trust_model=TM_AUTO;
-    }
-  else if(ascii_strcasecmp(model,"auto+pka")==0)
-    {
-      opt.trust_model=TM_AUTO;
-      opt.pka_trust_increase = 1;
-    }
   else
     log_error("unknown trust model `%s'\n",model);
 }
 
-
 int
 main (int argc, char **argv )
 {
@@ -1740,7 +1710,6 @@ main (int argc, char **argv )
     opt.verify_options=
       VERIFY_SHOW_POLICY_URLS|VERIFY_SHOW_STD_NOTATIONS|VERIFY_SHOW_KEYSERVER_URLS;
     opt.trust_model=TM_AUTO;
-    opt.pka_trust_increase=0;
     opt.mangle_dos_filenames=0;
     opt.min_cert_level=2;
     set_screen_dimensions();
@@ -2153,9 +2122,6 @@ main (int argc, char **argv )
 		opt.force_ownertrust=0;
 	      }
 	    break;
-          case oAllowPkaLookup:
-            opt.allow_pka_lookup = 1;
-            break;
 	  case oLoadExtension:
 #ifndef __riscos__
 #if defined(USE_DYNAMIC_LINKING) || defined(_WIN32)
@@ -2496,6 +2462,10 @@ main (int argc, char **argv )
 		   N_("show user ID validity during signature verification")},
 		  {"show-unusable-uids",VERIFY_SHOW_UNUSABLE_UIDS,NULL,
 		   N_("show revoked and expired user IDs in signature verification")},
+		  {"pka-lookup",VERIFY_PKA_LOOKUP,NULL,
+		   N_("validate signatures with PKA data")},
+		  {"pka-trust-increase",VERIFY_PKA_TRUST_INCREASE,NULL,
+		   N_("elevate the trust of signatures with valid PKA data")},
 		  {NULL,0,NULL,NULL}
 		};
 

g10/mainproc.c

@@ -1390,7 +1390,7 @@ pka_uri_from_sig (PKT_signature *sig)
       assert (!sig->pka_info);
       sig->flags.pka_tried = 1;
       sig->pka_info = get_pka_address (sig);
-      if (sig->pka_info && opt.allow_pka_lookup)
+      if (sig->pka_info)
         {
           char *uri;
 
@@ -1866,6 +1866,7 @@ check_sig_and_print( CTX c, KBNODE node )
 
 	if (!rc)
           {
+	    if(opt.verify_options&VERIFY_PKA_LOOKUP)
 	      pka_uri_from_sig (sig); /* Make sure PKA info is available. */
 	    rc = check_signatures_trust( sig );
           }

g10/options.h

@@ -103,8 +103,6 @@ struct
       TM_CLASSIC=0, TM_PGP=1, TM_EXTERNAL=2, TM_ALWAYS, TM_DIRECT, TM_AUTO
     } trust_model;
   int force_ownertrust;
-  int pka_trust_increase;  /* Valid PKA information increases the trust. */
-  int allow_pka_lookup;    /* PKA lookups are only done if this is set. */
   enum
     {
       CO_GNUPG=0, CO_RFC2440, CO_RFC1991, CO_PGP2, CO_PGP6, CO_PGP7, CO_PGP8
@@ -316,6 +314,8 @@ struct {
 #define VERIFY_SHOW_KEYSERVER_URLS       (1<<4)
 #define VERIFY_SHOW_UID_VALIDITY         (1<<5)
 #define VERIFY_SHOW_UNUSABLE_UIDS        (1<<6)
+#define VERIFY_PKA_LOOKUP                (1<<7)
+#define VERIFY_PKA_TRUST_INCREASE        (1<<8)
 
 #define KEYSERVER_USE_TEMP_FILES         (1<<0)
 #define KEYSERVER_KEEP_TEMP_FILES        (1<<1)

g10/pkclist.c

@@ -566,7 +566,7 @@ check_signatures_trust( PKT_signature *sig )
         case TRUST_UNKNOWN: 
         case TRUST_UNDEFINED:
         case TRUST_MARGINAL:
-          if (okay && opt.pka_trust_increase)
+          if (okay && opt.verify_options&VERIFY_PKA_TRUST_INCREASE)
             {
               trustlevel = ((trustlevel & ~TRUST_MASK) | TRUST_FULLY);
               log_info (_("trustlevel adjusted to FULL"

g10/trustdb.c

@@ -450,12 +450,7 @@ init_trustdb()
 	}
 
       if(opt.verbose)
-        {
 	log_info(_("using %s trust model\n"),trust_model_string());
-          if (opt.pka_trust_increase)
-            log_info(_("PKA verification is allowed to"
-                       " leverage trust to full\n"));
-        }
     }
 
   if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)