Re: Ultimate trust

Subject: Re: Ultimate trust

Date: Sun, 22 Mar 2020 22:20:15 -0300

To: Philip Hands,

Cc: Daniel Kahn Gillmor

From: David Bremner

Philip Hands <> writes:

> Tomas Nordin <> writes:
>> Teemu Likonen <> writes:
> ...
>>> I do this: I press "Yes" (to trust "ultimately") but then immediately go
>>> edit ~/.gnupg/trustlist.txt file and put "!" mark in the beginning of
>>> that certificate authority's key fingerprint. It marks that key
>>> untrusted (because I really don't know). Then: "gpgconf --reload
>>> gpg-agent".
>> OK, thanks. That already feels better, knowing I can revert this trust
>> easily like that. And some better understanding for whats going on.
> That seems like a UI bug to me -- I'd have thought that there should be
> a "No" button so that you can stop it repeatedly asking (presumably by
> automatically doing the same as the above manual procedure).
> Would anyone happen to know where that should be reported?
> I have a feeling that I'd want to default that to answering "No", and
> never see the prompt.

I think this is all about S/MIME and gpgsm. The issue with the delays
is  already reported to

It can be worked around with "disable-crl-checks" in the gpgsm
config. But if you actually care about S/MIME messages that has some

The more general question of asking people to trust the CA of some
random person on the internet seems crazy to me as well. I'm not sure,
maybe dkg has ideas about how to fix the UI issue from the notmuch side.


notmuch mailing list