[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: trusted intermediate CAs
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: trusted intermediate CAs |
Date: |
Wed, 12 Nov 2008 23:41:32 +0200 |
User-agent: |
Thunderbird 2.0.0.17 (X11/20080925) |
Daniel Kahn Gillmor wrote:
> On Wed 2008-11-12 03:29:41 -0500, Simon Josefsson wrote:
>
>> Btw, note that certtool -e does not use the same chain validation
>> algorithm as the GnuTLS library uses -- I believe certtool -e would
>> have rejected the faulty gnutls-sa-2008-3 chain.
>
> Why does certtool not use the same validation technique used in the
> library? Is this a deliberate design decision?
Yes. As I explained in a previous email, the library doesn't export any
high level verification function to verify certificate chains. I
expected applications to use their own and that's what certtool it does.
> Is there a simple
> invocation i can use if i have a certificate chain (but no access to
> the end entity's private key) and i want to see how the library would
> treat it?
No. The certtool interface is quite primitive and could be improved (say
support a trusted certificate list or more).
regards,
Nikos
- Re: The _gnutls_x509_verify_certificate fix, (continued)
- Re: The _gnutls_x509_verify_certificate fix, Werner Koch, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- supporting out-of-process certificate validation [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
- Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
- Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
- Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
- Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
- trusted intermediate CAs [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
- Re: trusted intermediate CAs, Simon Josefsson, 2008/11/12
- Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
- Re: trusted intermediate CAs,
Nikos Mavrogiannopoulos <=
- Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
- Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/13