From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 893606DE0E83 for ; Sun, 22 Mar 2020 18:20:19 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.068 X-Spam-Level: X-Spam-Status: No, score=-0.068 tagged_above=-999 required=5 tests=[AWL=-0.067, SPF_PASS=-0.001] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5pHi_0X6a9u4 for ; Sun, 22 Mar 2020 18:20:18 -0700 (PDT) Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197]) by arlo.cworth.org (Postfix) with ESMTPS id 864716DE0BB9 for ; Sun, 22 Mar 2020 18:20:18 -0700 (PDT) Received: from remotemail by fethera.tethera.net with local (Exim 4.89) (envelope-from ) id 1jGBlI-0003vm-97; Sun, 22 Mar 2020 21:20:16 -0400 Received: (nullmailer pid 678596 invoked by uid 1000); Mon, 23 Mar 2020 01:20:15 -0000 From: David Bremner To: Philip Hands , notmuch@notmuchmail.org Cc: Daniel Kahn Gillmor Subject: Re: Ultimate trust In-Reply-To: <87d094ciaw.fsf@hands.com> References: <87v9mxlqof.fsf@fliptop.i-did-not-set--mail-host-address--so-tickle-me> <878sjt3e9n.fsf@iki.fi> <87pnd4laxa.fsf@fliptop.i-did-not-set--mail-host-address--so-tickle-me> <87d094ciaw.fsf@hands.com> X-List-To: notmuch Date: Sun, 22 Mar 2020 22:20:15 -0300 Message-ID: <87ftdzlve8.fsf@tethera.net> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Mar 2020 01:20:19 -0000 Philip Hands writes: > Tomas Nordin writes: > >> Teemu Likonen writes: > ... >>> I do this: I press "Yes" (to trust "ultimately") but then immediately go >>> edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of >>> that certificate authority's key fingerprint. It marks that key >>> untrusted (because I really don't know). Then: "gpgconf --reload >>> gpg-agent". >> >> OK, thanks. That already feels better, knowing I can revert this trust >> easily like that. And some better understanding for whats going on. > > That seems like a UI bug to me -- I'd have thought that there should be > a "No" button so that you can stop it repeatedly asking (presumably by > automatically doing the same as the above manual procedure). > > Would anyone happen to know where that should be reported? > > I have a feeling that I'd want to default that to answering "No", and > never see the prompt. I think this is all about S/MIME and gpgsm. The issue with the delays is already reported to https://dev.gnupg.org/T3348 It can be worked around with "disable-crl-checks" in the gpgsm config. But if you actually care about S/MIME messages that has some drawbacks. The more general question of asking people to trust the CA of some random person on the internet seems crazy to me as well. I'm not sure, maybe dkg has ideas about how to fix the UI issue from the notmuch side. d