Re: The _gnutls_x509_verify

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The _gnutls_x509_verify_certificate fix

From:	Sam Varshavchik
Subject:	Re: The _gnutls_x509_verify_certificate fix
Date:	Mon, 10 Nov 2008 20:35:55 -0500

Tomas Mraz writes:

self-signed site certificate. Is there some other method how this could
be achieved? If not, then perhaps the test for the self-signed should be
performed only when clist_size > 1. Also the test for the clist_size
should be first test of the if().

The other limitation is that only the last certificate (after removing
eventual self-signed cert at the end of the chain) is checked against
the trusted list. That means you can not put just an intermediate CA
cert into the trusted list to be able to verify the chain.

What do you think of these limitations, should they be removed?


Here's how I always thought certificate verifications should work:

1) The first certificate must be one of your trusted certs

2) Each one of the following certificates must be signed by the previousone, ending with the peer's certificate

It makes no sense to search the trusted list for any intermediate certs,neither does it make sense to treat self-signed certs in any special way.All of the root, trusted, certs are self-signed certs, the above logic workscorrectly for them.

pgpK4jFHp7ekS.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: The _gnutls_x509_verify_certificate fix, (continued)
- Re: The _gnutls_x509_verify_certificate fix, Nikos Mavrogiannopoulos, 2008/11/10
  - Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
    - Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
    - Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
    - Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
    - Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
    - Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/11
    - Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
    - Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/12
    - Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/12
- Re: The _gnutls_x509_verify_certificate fix, Sam Varshavchik <=
  - Re: The _gnutls_x509_verify_certificate fix, Werner Koch, 2008/11/11
  - Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
    - supporting out-of-process certificate validation [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
    - Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
    - Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
    - Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
    - Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
    - trusted intermediate CAs [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
    - Re: trusted intermediate CAs, Simon Josefsson, 2008/11/12
    - Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12

Prev by Date: Re: The _gnutls_x509_verify_certificate fix
Next by Date: Re: Bug#503833: Unparseable PKCS cert
Previous by thread: Re: The _gnutls_x509_verify_certificate fix
Next by thread: Re: The _gnutls_x509_verify_certificate fix
Index(es):
- Date
- Thread