Re: [gnutls-devel] faq

[Nikos Mavrogiannopoulos]

On 10/14/2013 07:39 PM, Daniel Kahn Gillmor wrote:
> Hi Nikos--
> Could you place HTML anchors on a div containing each question and
> answer?  that would make it easier to send references using a URL with a
> fragment, like:
> 
>  http://www.gnutls.org/faq.html#key-usage-violation
> 
> and you can also use the CSS :target pseudoclass to provide clearer
> visual highlighting of the targeted section.

Hello Daniel,
 I have no idea how to do that. I have tried to hack something, but feel
free to suggest better options (all the web pages are in the web-pages
branch of the repository).

> Also, i note that the faq about key usage violations mentions that
> gnutls might consider relaxing these strict constraints.  i notice that
> Brian Smith is talking (over on address@hidden) about trying to actually
> make firefox (and possibly NSS itself, i can't tell from his message)
> *more* strict, rather than less.

Unfortunately this has already been done. The latest versions do not
issue this error. That error was so widespread, and none of the other
implementations ever complained of such violations. This lead to users
to believe that gnutls was buggy.

The first result in google on the topic is:
http://www.visualsvn.com/support/topic/00056/

Which says, we generated a certificate, it works with openssl, but not
with gnutls. If you follow up the google results more of this type of
argumentation shows up.

The fact is of course that a typical person will have no idea of
certificate key usage restrictions and yet he may be asked to generate a
correct certificate. Given that all software that assists in that goal
allows him to generate any invalid combination, being strict in gnutls
would buy us nothing but frustration. I may reconsider that in the
future though (as I don't like it either).

regards,
Nikos