From a869c520e4c75ee16cc9c07b96bd4886aae39f8a Mon Sep 17 00:00:00 2001
From: Carl Hetherington <cth@carlh.net>
Date: Mon, 23 Nov 2015 16:40:57 +0000
Subject: Try removing the 'primary' receipient's certificate thumbprint from
 the CertificateThumbprint list.

---
 src/encrypted_kdm.cc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/encrypted_kdm.cc b/src/encrypted_kdm.cc
index 13a9eb05..207dff67 100644
--- a/src/encrypted_kdm.cc
+++ b/src/encrypted_kdm.cc
@@ -547,8 +547,12 @@ EncryptedKDM::EncryptedKDM (
 		/* Use the "assume trust" thumbprint */
 		kre.authorized_device_info.certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
 	} else if (formulation == DCI_SPECIFIC) {
-		/* Use the recipient and other trusted device thumbprints */
-		kre.authorized_device_info.certificate_thumbprints.push_back (recipient.thumbprint ());
+		/* As I read the standard we should use the recipient
+		   /and/ other trusted device thumbprints here.  MJD
+		   reports that this doesn't work with his setup;
+		   a working KDM does not include the recipient's
+		   thumbprint (recipient.thumbprint()).
+		*/
 		BOOST_FOREACH (Certificate const & i, trusted_devices) {
 			kre.authorized_device_info.certificate_thumbprints.push_back (i.thumbprint ());
 		}
-- 
cgit v1.2.3