Addition: On 10/25/2013 02:22 AM, r.ted.byers@gmail.com wrote:
(or does your government have a website set up, with the URL provided in the crt file, from which websites can retrieve the files related to the crt, that they can use to access the validity of the crt file)?
If you open my certificate in the certificate viewer, check the path certificate/extensions! There you'll find among others: Authority information access: URI: http://proxy.fineid.fi/ca/vrkcqc.crt and CRL Distribution Points: URI: http://proxy.fineid.fi/crl/vrkcqcc.crl URI: ldap://ldap.fineid.fi:389/cn%3dVRK%20Gov.%20CA%20for%20Citizen%20Qualified%20Certificates,ou%3dValtion%20kansalaisvarmenteet,o%3dVaestorekisterikeskus%20CA,dmdName%3dFINEID,c%3dFI?certificateRevocationList Besides, it can also be that KMail is nagging because my certificate does not contain any email-address, because it's a personal identification certificate and no dedicated email-signing certificate. TB says "Although the digital signature is valid, it is unknown whether the sender and signer are the same person. The certificate used to sign the message does not contain an email address. [...]" In practice, this doesn't really matter, because the purpose of the certificate is to prove that *I* wrote and signed the message, i.e. that I am legally the originator of the message. For the legal impact of the content of the message, it's of no consequence, who *sent* the message. Only, who *originated* and *signed* it. Transferred to the physical world: If I e.g. write a paper document to a court, it doesn't matter if I personally bring it to the court, if I send my girl-friend or if I send the letter by mail. The important fact for the court is that *I* wrote and signed the letter. --Stefan -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface