CAcert class 3 root not guilty

Hi,

thanks for new version 3.1.1 of gpg4win. I noticed improvements as follows:

1.) Comodo CA is supported, client certs are valid.

2.) Automated sending for SMIME seems to work now. I will test it again.

But there is still a problem with CAcert: CA Cert Signing Authority is valid in Kleopatra, but not the CAcert Class 3 Root cert.

Will you fix it?

Thanks
Zigg

To be honest I’m not sure. The validation fails with “No CRL Known”

Looking at this certificate it does not have a CRL distribution point, but an OCSP URL.

I think with no CRL Distribution Point it should accept the cert and not fail with “No CRL Known”. I’ll ask the maintainer of that about it.

As a workaround, If I enable OSCP Checks as described in: https://forum.gnupg.org/t/validation-ocsp/3302

The certificate validates for me.

Andre,
the default in PKIX probably is that a cert will not be accepted if there is
no revocation information. If the cert is missing a CRL distribution point,
that maybe a problem of the cert.

Bernhard

But I can create self signed certificates without a CRL and make them valid by adding them to the trustlist.txt

And I think that CRL’s are optional so we might have an issue here.