|
From: | Sam Varshavchik |
Subject: | Re: The _gnutls_x509_verify_certificate fix |
Date: | Mon, 10 Nov 2008 20:35:55 -0500 |
Tomas Mraz writes:
self-signed site certificate. Is there some other method how this could be achieved? If not, then perhaps the test for the self-signed should be performed only when clist_size > 1. Also the test for the clist_size should be first test of the if(). The other limitation is that only the last certificate (after removing eventual self-signed cert at the end of the chain) is checked against the trusted list. That means you can not put just an intermediate CA cert into the trusted list to be able to verify the chain. What do you think of these limitations, should they be removed?
Here's how I always thought certificate verifications should work: 1) The first certificate must be one of your trusted certs2) Each one of the following certificates must be signed by the previous one, ending with the peer's certificate
It makes no sense to search the trusted list for any intermediate certs, neither does it make sense to treat self-signed certs in any special way. All of the root, trusted, certs are self-signed certs, the above logic works correctly for them.
pgpK4jFHp7ekS.pgp
Description: PGP signature
[Prev in Thread] | Current Thread | [Next in Thread] |