[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: trusted intermediate CAs
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: trusted intermediate CAs |
|
Date: |
Wed, 12 Nov 2008 18:27:39 -0500 |
|
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) |
On Wed 2008-11-12 16:41:32 -0500, Nikos Mavrogiannopoulos wrote:
> the library doesn't export any high level verification function to
> verify certificate chains.
What about gnutls_x509_crt_list_verify() and
gnutls_certificate_verify_peers2() ? The latter is used in src/srv.c
and srv/cli.c, and i think it calls the former under the hood (using
data from the TLS session to fill in the specific parameters).
Those seem like high-level functions to verify certificate chains to
me. Did you mean something else?
> I expected applications to use their own and that's what certtool it
> does.
_verify_x509_mem() in certtool.c looks like it implements a very
similar goal to the goal addressed by gnutls_x509_crt_list_verify().
If there is an alternate validation method that might be superior to
gnutls_x509_crt_list_verify(), why not fold it into that function?
If the alternate method raises DoS or resource consumption concerns,
the library could offer it as an alternative function, so that
GnuTLS-based tools in non-DoS-sensitive environments could take
advantage of it.
I think it would be really useful to have certtool reflect the
internal workings of GnuTLS as closely as possible, not least for the
sake of providing tools to help admins who are trying to debug/test
GnuTLS-based applications.
Regards,
--dkg
pgpoSODpr0MCp.pgp
Description: PGP signature
- Re: The _gnutls_x509_verify_certificate fix, (continued)
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- supporting out-of-process certificate validation [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
- Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
- Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
- Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
- Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
- trusted intermediate CAs [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
- Re: trusted intermediate CAs, Simon Josefsson, 2008/11/12
- Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
- Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/12
- Re: trusted intermediate CAs,
Daniel Kahn Gillmor <=
- Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/13