diff --git a/doc/DETAILS b/doc/DETAILS
index a74c0e907..e7a5d423b 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -57,7 +57,11 @@ record; gpg2 does this by default and the option is a dummy.
 		f = The key is fully trusted
 		u = The key is ultimately trusted.  This often means
 		    that the secret key is available, but any key may
-		    be marked as ultimately trusted.
+		    be marked as ultimately trusted. 
+
+            For X.509 certificates an 'u' is used for a trusted root
+            certificates (i.e. for the truct anchor) and and 'f' for
+            all other validated certificates.
 
  3. Field:  length of key in bits.
 
diff --git a/g10/ChangeLog b/g10/ChangeLog
index 5df38e5c2..6556ce2c7 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,8 @@
+2008-08-11  Werner Koch  <wk@g10code.com>
+
+	* keygen.c (ask_expire_interval): Check for time overflow of an
+	u32.  Fixes bug #947.
+
 2008-08-01  Werner Koch  <wk@g10code.com>
 
 	* tdbio.c (open_db) [!EROFS]: Move closing parens out of the
diff --git a/scd/ChangeLog b/scd/ChangeLog
index dcfdc60f9..5e53fb9d1 100644
--- a/scd/ChangeLog
+++ b/scd/ChangeLog
@@ -4,7 +4,7 @@
 	(reset_rapdu_reader, open_rapdu_reader): Allow ATRs of up to 33
 	bytes.  Provide maximum size of ATR buffer using DIM.  Such long
 	ATR are never seen in reality but the PC/SC library of MAC OS X is
-	just too buggy. Reported by Ludovic Rousseau.  Fixes bug #948.
+	just too buggy.  Reported by Ludovic Rousseau.  Fixes bug #948.
 
 2008-07-30  Werner Koch  <wk@g10code.com>
 
diff --git a/sm/ChangeLog b/sm/ChangeLog
index e96970c3a..0b29330c4 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,7 @@
+2008-08-13  Werner Koch  <wk@g10code.com>
+
+	* keylist.c (list_cert_colon): Print 'f' for validated certs.
+
 2008-08-08  Marcus Brinkmann  <marcus@g10code.de>
 
 	* gpgsm.h (struct server_control_s): Remove member dirmngr_seen.
diff --git a/sm/keylist.c b/sm/keylist.c
index c593ccc46..014147e69 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -415,6 +415,8 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
         *truststring = 'e';
       else if (valerr)
         *truststring = 'i';
+      else if (ctrl->with_validation && !is_root)
+        *truststring = 'f';
     }
 
   /* If we have no truststring yet (i.e. the certificate might be