Re: trusted intermediate CAs

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: trusted intermediate CAs

From:	Nikos Mavrogiannopoulos
Subject:	Re: trusted intermediate CAs
Date:	Wed, 12 Nov 2008 23:41:32 +0200
User-agent:	Thunderbird 2.0.0.17 (X11/20080925)

Daniel Kahn Gillmor wrote:
> On Wed 2008-11-12 03:29:41 -0500, Simon Josefsson wrote:
> 
>> Btw, note that certtool -e does not use the same chain validation
>> algorithm as the GnuTLS library uses -- I believe certtool -e would
>> have rejected the faulty gnutls-sa-2008-3 chain.
> 
> Why does certtool not use the same validation technique used in the
> library?  Is this a deliberate design decision? 

Yes. As I explained in a previous email, the library doesn't export any
high level verification function to verify certificate chains. I
expected applications to use their own and that's what certtool it does.

> Is there a simple
> invocation i can use if i have a certificate chain (but no access to
> the end entity's private key) and i want to see how the library would
> treat it?

No. The certtool interface is quite primitive and could be improved (say
support a trusted certificate list or more).

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

Re: The _gnutls_x509_verify_certificate fix, (continued)

Prev by Date: Re: rfc5081 update
Next by Date: Re: trusted intermediate CAs
Previous by thread: Re: trusted intermediate CAs
Next by thread: Re: trusted intermediate CAs
Index(es):
- Date
- Thread