Actually we do not import a Root Cert but provide a way to validate any piece of data by storing its Hash along with a description and an identifier in the PSE. Here is the interface description:
Check whether the OpenPGP primary key or the X.509 certificate with the given fingerprint is an ultimately trusted key or a trusted Root CA certificate. The fingerprint should be given as a hexstring (without any blanks or colons or whatever in between) and may be left padded with 00 in case of an MD5 fingerprint. GPGAgent will answer with:
The key is in the table of trusted keys.
ERR 304 (Not Trusted)
The key is not in this table.
Gpg needs the entire list of trusted keys to maintain the web of trust; the following command is therefore quite helpful:
GpgAgent returns a list of trusted keys line by line:
S: D 000000001234454556565656677878AF2F1ECCFF P S: D 340387563485634856435645634856438576457A P S: D FEDC6532453745367FD83474357495743757435D S S: OK
The first item on a line is the hexified fingerprint where MD5
00 padded to the left and the second item is a
flag to indicate the type of key (so that gpg is able to only take care
of PGP keys). P = OpenPGP, S = S/MIME. A client should ignore the rest
of the line, so that we can extend the format in the future.
Finally a client should be able to mark a key as trusted:
MARKTRUSTED fingerprint "P"|"S"
The server will then pop up a window to ask the user whether she really trusts this key. For this it will probably ask for a text to be displayed like this:
S: INQUIRE TRUSTDESC C: D Do you trust the key with the fingerprint @FPR@ C: D bla fasel blurb. C: END S: OK
Known sequences with the pattern @foo@ are replaced according to this table: