Implemented the chain model for X.509 validation.

doc/ChangeLog

@@ -1,3 +1,7 @@
+2007-08-09  Werner Koch  <wk@g10code.com>
+
+	* gpgsm.texi (Certificate Options): Describe --validation-model.
+
 2007-07-23  Werner Koch  <wk@g10code.com>
 
 	* scdaemon.texi (Scdaemon Commands): Remove obsolete --print-atr.

doc/DETAILS

@@ -253,8 +253,8 @@ more arguments in future versions.
         presence of the letter 'T' inside.
 
     VALIDSIG	<fingerprint in hex> <sig_creation_date> <sig-timestamp>
-		<expire-timestamp> [ <sig-version> <reserved> <pubkey-algo>
-		<hash-algo> <sig-class> <primary-key-fpr> ]
+		<expire-timestamp>  <sig-version> <reserved> <pubkey-algo>
+		<hash-algo> <sig-class> [ <primary-key-fpr> ]
 
 	The signature with the keyid is good. This is the same as
 	GOODSIG but has the fingerprint as the argument. Both status
@@ -269,8 +269,9 @@ more arguments in future versions.
 	useful to get back to the primary key without running gpg
 	again for this purpose.
 
-        The optional parameters are used for OpenPGP and are not
-        available for CMS signatures.
+        The primary-key-fpr parameter is used for OpenPGP and not
+        available for CMS signatures.  The sig-version as well as the
+        sig class is not defined for CMS and currently set to 0 and 00.
 
         Note, that *-TIMESTAMP may either be a number with seconds
         since epoch or an ISO 8601 string which can be detected by the
@@ -310,13 +311,21 @@ more arguments in future versions.
   
 
     TRUST_UNDEFINED <error token>
-    TRUST_NEVER  <error token>
-    TRUST_MARGINAL
-    TRUST_FULLY
-    TRUST_ULTIMATE
-	For good signatures one of these status lines are emitted
-	to indicate how trustworthy the signature is.  The error token
-        values are currently only emitted by gpgsm.
+    TRUST_NEVER     <error token>
+    TRUST_MARGINAL  [0  [<validation_model>]]
+    TRUST_FULLY     [0  [<validation_model>]] 
+    TRUST_ULTIMATE  [0  [<validation_model>]]
+	For good signatures one of these status lines are emitted to
+	indicate how trustworthy the signature is.  The error token
+	values are currently only emitted by gpgsm.  VALIDATION_MODEL
+	describes the algorithm used to check the validity of the key.
+	The default is the standard gpg Web of Trust model respective
+	the standard X.509 model.  The defined values are
+
+           "pgp"   for the standard PGP WoT.
+	   "shell" for the standard X.509 model.
+	   "chain" for the chain model.
+
 
     PKA_TRUST_GOOD <mailbox>
     PKA_TRUST_BAD  <mailbox>

doc/gpgsm.texi

@@ -412,6 +412,17 @@ requests in Dirmngr's configuration too (option
 @option{--allow-ocsp} and configure dirmngr properly.  If you don't do
 so you will get the error code @samp{Not supported}.
 
+
+@item --validation-model @var{name}
+@opindex validation-model
+This option changes the default validation model.  The only possible
+values are "shell" (which is the default) and "chain" which forces the
+use of the chain model.  The chain model is also used if an option in
+the @file{trustlist.txt} or an attribute of the certificate requests it.
+However the standard model (shell) is in that case always tried first.
+
+
+
 @end table
 
 @c *******************************************
@@ -550,7 +561,8 @@ encryption.  For convenience the strings @code{3DES}, @code{AES} and
 @opindex faked-system-time
 This option is only useful for testing; it sets the system time back or
 forth to @var{epoch} which is the number of seconds elapsed since the year
-1970.
+1970.  Alternativly @var{epoch} may be given as a full ISO time string
+(e.g. "20070924T154812").
 
 @item --with-ephemeral-keys
 @opindex with-ephemeral-keys

doc/specify-user-id.texi

@@ -122,7 +122,7 @@ This should return the Root cert of the issuer.  See note above.
 
 @item By exact match on serial number and issuer's DN.
 This is indicated by a hash mark, followed by the hexadecmal
-representation of the serial number, the followed by a slash and the
+representation of the serial number, then followed by a slash and the
 RFC-2253 encoded DN of the issuer. See note above.
 
 @cartouche