On 26/02/13 09:21, Leslie Turriff wrote: > On Monday 25 February 2013 16:05:27 dep wrote: >> said dep: >> | said Leslie Turriff: >> | | This drove me mad for ages, until I finally broke down and started >> | | tinkering with the Settings. (I don't know if this is the best way to >> | | fix this, but I figure that when an ISP sends certificates with broken >> | | authority info, which apparently is ignored by all those Windoze mail >> | | clients, it must be more or less okay...) >> | | In the Scurity & Privacy Settings, S/MIME Validation tab, I unchecked >> | | "Do not check certificate policies" and "Never consult a CRL", and now >> | | kMail doesn't gripe about this any more. >> | >> | not the safest thing to do, but preferable to insanity -- thanks! >> >> well, except for one thing: it didn't solve the problem. > > Hmmm... I don't think I changed anything else to fix it. Maybe your ISP's > certificate problem is different than mine? I think you missed the point Dep is making. The *actual* problem is that when KMail comes across a broken certificate, and you tell it "Remember this one is okay forever", it *does not* remember that it is okay forever. Telling KMail "never check the certificates" does not solve the problem, since that stops KMail from complaining *at all*. It completely breaks when you have a situation like this: - Site X certificate is broken, and I trust it forever; - Site Y certificate is broken, but I only trust it this one time; - I don't trust site Z at all unless the certificate is valid. -- Steven