Try removing the 'primary' receipient's certificate thumbprint from the CertificateThumbprint list.

author: Carl Hetherington <cth@carlh.net> 2015-11-23 16:40:57 +0000
committer: Carl Hetherington <cth@carlh.net> 2015-11-23 16:41:15 +0000
commit: a869c520e4c75ee16cc9c07b96bd4886aae39f8a (patch)
tree: eb62f769b9b0ce1113677e550a2fc167a1896f84 /src
parent: 332c7c37e1cbc088980977d7c37c1c770af4b754 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/src/encrypted_kdm.cc b/src/encrypted_kdm.cc
index 13a9eb05..207dff67 100644
--- a/src/encrypted_kdm.cc
+++ b/src/encrypted_kdm.cc
@@ -547,8 +547,12 @@ EncryptedKDM::EncryptedKDM (
 		/* Use the "assume trust" thumbprint */
 		kre.authorized_device_info.certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
 	} else if (formulation == DCI_SPECIFIC) {
-		/* Use the recipient and other trusted device thumbprints */
-		kre.authorized_device_info.certificate_thumbprints.push_back (recipient.thumbprint ());
+		/* As I read the standard we should use the recipient
+		   /and/ other trusted device thumbprints here.  MJD
+		   reports that this doesn't work with his setup;
+		   a working KDM does not include the recipient's
+		   thumbprint (recipient.thumbprint()).
+		*/
 		BOOST_FOREACH (Certificate const & i, trusted_devices) {
 			kre.authorized_device_info.certificate_thumbprints.push_back (i.thumbprint ());
 		}
author	Carl Hetherington <cth@carlh.net>	2015-11-23 16:40:57 +0000
committer	Carl Hetherington <cth@carlh.net>	2015-11-23 16:41:15 +0000
commit	a869c520e4c75ee16cc9c07b96bd4886aae39f8a (patch)
tree	eb62f769b9b0ce1113677e550a2fc167a1896f84 /src
parent	332c7c37e1cbc088980977d7c37c1c770af4b754 (diff)