Dirmngr ISVALID - Using the GNU Privacy Guard

Next: Dirmngr CHECKCRL, Previous: Dirmngr LOOKUP, Up: Dirmngr Protocol

3.6.2 Validate a certificate using a CRL or OCSP

       ISVALID [--only-ocsp] [--force-default-responder] certid|certfpr

Check whether the certificate described by the certid has been revoked. Due to caching, the Dirmngr is able to answer immediately in most cases.

The certid is a hex encoded string consisting of two parts, delimited by a single dot. The first part is the SHA-1 hash of the issuer name and the second part the serial number.

Alternatively the certificate's SHA-1 fingerprint certfpr may be given in which case an OCSP request is done before consulting the CRL. If the option --only-ocsp is given, no fallback to a CRL check will be used. If the option --force-default-responder is given, only the default OCSP responder will be used and any other methods of obtaining an OCSP responder URL won't be used.

Common return values are:

GPG_ERR_NO_ERROR (0): This is the positive answer: The certificate is not revoked and we have an up-to-date revocation list for that certificate. If OCSP was used the responder confirmed that the certificate has not been revoked.
GPG_ERR_CERT_REVOKED: This is the negative answer: The certificate has been revoked. Either it is in a CRL and that list is up to date or an OCSP responder informed us that it has been revoked.
GPG_ERR_NO_CRL_KNOWN: No CRL is known for this certificate or the CRL is not valid or out of date.
GPG_ERR_NO_DATA: The OCSP responder returned an “unknown” status. This means that it is not aware of the certificate's status.
GPG_ERR_NOT_SUPPORTED: This is commonly seen if OCSP support has not been enabled in the configuration.

If DirMngr has not enough information about the given certificate (which is the case for not yet cached certificates), it will will inquire the missing data:

       S: INQUIRE SENDCERT <CertID>
       C: D <DER encoded certificate>
       C: END

A client should be aware that DirMngr may ask for more than one certificate.

If Dirmngr has a certificate but the signature of the certificate could not been validated because the root certificate is not known to dirmngr as trusted, it may ask back to see whether the client trusts this the root certificate:

       S: INQUIRE ISTRUSTED <CertHexfpr>
       C: D 1
       C: END

Only this answer will let Dirmngr consider the CRL as valid.