[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnutls] Re: CA cert verification
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: [Help-gnutls] Re: CA cert verification |
Date: |
Wed, 24 Aug 2005 19:48:37 +0200 |
User-agent: |
KMail/1.7.2 |
On Wednesday 24 August 2005 17:58, Martin Lambers wrote:
> > * Note that some commonly used X.509 Certificate Authorities are
> > * still using Version 1 certificates. If you want to accept them,
> > * you need to call gnutls_certificate_set_verify_flags() with, e.g.,
> > * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.
> What is the reason why Version 1 certificates are not accepted by
> default? Is it safe to always set the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
> flag?
In general it is not. A v1 certificate does not contain information about its
status (ca, person etc). You may think that this is not that bad since this
is a trusted list anyway.
The problem arises when people add single non-ca certificates to this list.
Say someone may add a certificate of a web site there. This should have the
effect of this certificate to be able to certify others. This is not
desirable. (the proper solution would be though not to use the trusted list
for these non CA certificates).
--
Nikos Mavrogiannopoulos
- [Help-gnutls] CA cert verification, Daniel Stenberg, 2005/08/22
- Re: [Help-gnutls] CA cert verification, Nikos Mavrogiannopoulos, 2005/08/23
- Re: [Help-gnutls] CA cert verification, Daniel Stenberg, 2005/08/23
- Re: [Help-gnutls] CA cert verification, Daniel Stenberg, 2005/08/23
- [Help-gnutls] Re: CA cert verification, Simon Josefsson, 2005/08/23
- [Help-gnutls] Re: CA cert verification, Daniel Stenberg, 2005/08/23
- [Help-gnutls] Re: CA cert verification, Daniel Stenberg, 2005/08/24
- [Help-gnutls] Re: CA cert verification, Simon Josefsson, 2005/08/24
- Re: [Help-gnutls] Re: CA cert verification, Martin Lambers, 2005/08/24
- Re: [Help-gnutls] Re: CA cert verification,
Nikos Mavrogiannopoulos <=
- Re: [Help-gnutls] Re: CA cert verification, Nikos Mavrogiannopoulos, 2005/08/24
- [Help-gnutls] Re: CA cert verification, Simon Josefsson, 2005/08/25