Message: previous - next
Month: February 2013

Re: [trinity-users] Re: kMail certificate

From: Steven D'Aprano <steve@...>
Date: Tue, 26 Feb 2013 10:49:14 +1100
On 26/02/13 09:21, Leslie Turriff wrote:
> On Monday 25 February 2013 16:05:27 dep wrote:
>> said dep:
>> | said Leslie Turriff:
>> | | 	This drove me mad for ages, until I finally broke down and started
>> | | tinkering with the Settings.  (I don't know if this is the best way to
>> | | fix this, but I figure that when an ISP sends certificates with broken
>> | | authority info, which apparently is ignored by all those Windoze mail
>> | | clients, it must be more or less okay...)
>> | | 	In the Scurity & Privacy Settings, S/MIME Validation tab, I unchecked
>> | | "Do not check certificate policies" and "Never consult a CRL", and now
>> | | kMail doesn't gripe about this any more.
>> |
>> | not the safest thing to do, but preferable to insanity -- thanks!
>> well, except for one thing: it didn't solve the problem.
> 	Hmmm... I don't think I changed anything else to fix it.  Maybe your ISP's
> certificate problem is different than mine?

I think you missed the point Dep is making.

The *actual* problem is that when KMail comes across a broken certificate, and
you tell it "Remember this one is okay forever", it *does not* remember that it
is okay forever.

Telling KMail "never check the certificates" does not solve the
problem, since that stops KMail from complaining *at all*. It completely breaks
when you have a situation like this:

- Site X certificate is broken, and I trust it forever;
- Site Y certificate is broken, but I only trust it this one time;
- I don't trust site Z at all unless the certificate is valid.