summaryrefslogtreecommitdiffstats
path: root/doc/gpgsm.texi
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2011-12-07 16:15:15 +0100
committerWerner Koch <wk@gnupg.org>2011-12-07 16:15:15 +0100
commit8a12a2000d82acfa881e8c18d028290100bf5e43 (patch)
tree3e212fdf3888181fa70570580bf7dbed65e3756a /doc/gpgsm.texi
parentCorrect punctuation in the ChangeLog summary line. (diff)
downloadgnupg2-8a12a2000d82acfa881e8c18d028290100bf5e43.tar.xz
gnupg2-8a12a2000d82acfa881e8c18d028290100bf5e43.zip
gpgsm: Add new validation model "steed".
* sm/gpgsm.h (VALIDATE_FLAG_STEED): New. * sm/gpgsm.c (gpgsm_parse_validation_model): Add model "steed". * sm/server.c (option_handler): Allow validation model "steed". * sm/certlist.c (gpgsm_cert_has_well_known_private_key): New. * sm/certchain.c (do_validate_chain): Handle the well-known-private-key attribute. Support the "steed" model. (gpgsm_validate_chain): Ditto. * sm/verify.c (gpgsm_verify): Return "steed" in the trust status line. * sm/keylist.c (list_cert_colon): Print the new 'w' flag. -- This is the first part of changes to implement the STEED proposal as described at http://g10code.com/steed.html . The idea for X.509 is not to use plain self-signed certificates but certificates signed by a dummy CA (i.e. one for which the private key is known). Having a single CA as an indication for the use of STEED might help other X.509 implementations to implement STEED.
Diffstat (limited to 'doc/gpgsm.texi')
-rw-r--r--doc/gpgsm.texi9
1 files changed, 5 insertions, 4 deletions
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 8e25baf62..bdb03783e 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -451,10 +451,11 @@ address and the time when you verified the signature.
@item --validation-model @var{name}
@opindex validation-model
This option changes the default validation model. The only possible
-values are "shell" (which is the default) and "chain" which forces the
-use of the chain model. The chain model is also used if an option in
-the @file{trustlist.txt} or an attribute of the certificate requests it.
-However the standard model (shell) is in that case always tried first.
+values are "shell" (which is the default), "chain" which forces the
+use of the chain model and "steed" for a new simplified model. The
+chain model is also used if an option in the @file{trustlist.txt} or
+an attribute of the certificate requests it. However the standard
+model (shell) is in that case always tried first.
@item --ignore-cert-extension @var{oid}
@opindex ignore-cert-extension