This option enables interval checking of certificate validity. You can also choose the checking interval (in hours). The effect of interval checking is the same as View → Redisplay (F5) ; there is no provision for interval scheduling of Tools → Refresh OpenPGP Certificates or Tools → Refresh X.509 Certificates .

If this option is selected, S/MIME certificates are validated using Certificate Revocation Lists (CRLs).

See Validate certificates online (OCSP) for alternative method of certificate validity checking.

If this option is selected, S/MIME certificates are validated online using the Online Certificates Status Protocol (OCSP).

To use this method, you need to enter the URL of the OCSP responder into OCSP responder URL.

See Validate certificates online (OCSP) for a more traditional method of certificate validity checking that does not leak information about whom you exchange messages with.

Enter here the address of the server for online validation of certificates (OCSP responder). The URL usually starts with http://.

Choose here the certificate with which the OCSP server signs its replies.

Each S/MIME certificate usually contains the URL of its issuer's OCSP responder ( Certificates → Dump Certificate will reveal whether a given certificate contains it).

Checking this option makes GpgSM ignore those URLs and only use the one configured above.

Use this to e.g. enforce use of a company-wide OCSP proxy.

By default, GpgSM uses the file ~/.gnupg/policies.txt to check if a certificate policy is allowed. If this option is selected, policies are not checked.

If this option is checked, Certificate Revocation Lists are never used to validate S/MIME certificates.

If this option is checked while a root CA certificate is being imported, you will be asked to confirm its fingerprint and to state whether or not you consider this root certificate to be trusted.

A root certificate needs to be trusted before the certificates it certified become trusted, but lightly allowing trusted root certificates into your certificate store will undermine the security of the system.

If this option is checked, missing issuer certificates are fetched when necessary (this applies to both validation methods, CRLs and OCSP).

Entirely disables the use of HTTP for S/MIME.

When looking for the location of a CRL, the to-be-tested certificate usually contains what are known as “CRL Distribution Point” (DP) entries, which are URLs describing the way to access the CRL. The first-found DP entry is used.

With this option, all entries using the HTTP scheme are ignored when looking for a suitable DP.

If this option is selected, the value of the HTTP proxy shown on the right (which comes from the environment variable http_proxy) will be used for any HTTP request.

If no system proxy is set, or you need to use a different proxy for GpgSM, you can enter its location here.

It will be used for all HTTP requests relating to S/MIME.

The syntax is host:port, e.g. myproxy.nowhere.com:3128.

Entirely disables the use of LDAP for S/MIME.

When looking for the location of a CRL, the to-be-tested certificate usually contains what are known as "CRL Distribution Point" (DP) entries, which are URLs describing the way to access the CRL. The first found DP entry is used.

With this option, all entries using the LDAP scheme are ignored when looking for a suitable DP.

Entering an LDAP server here will make all LDAP requests go to that server first. More precisely, this setting overrides any specified host and port part in an LDAP URL and will also be used if host and port have been omitted from the URL.

Other LDAP servers will be used only if the connection to the “proxy” failed. The syntax is host or host:port. If port is omitted, port 389 (standard LDAP port) is used.