help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnutls] Re: CA cert verification

From: Nikos Mavrogiannopoulos
Subject: Re: [Help-gnutls] Re: CA cert verification
Date: Wed, 24 Aug 2005 19:48:37 +0200
User-agent: KMail/1.7.2 
On Wednesday 24 August 2005 17:58, Martin Lambers wrote:

> >   * Note that some commonly used X.509 Certificate Authorities are
> >   * still using Version 1 certificates.  If you want to accept them,
> >   * you need to call gnutls_certificate_set_verify_flags() with, e.g.,
> >   * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.
> What is the reason why Version 1 certificates are not accepted by
> default? Is it safe to always set the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
> flag?

In general it is not. A v1 certificate does not contain information about its
status (ca, person etc).  You may think that this is not that bad since this 
is a trusted list anyway.

The problem arises when people add single non-ca certificates to this list.
Say someone may add a certificate of a web site there. This should have the
effect of this certificate to be able to certify others. This is not 
desirable. (the proper solution would be though not to use the trusted list 
for these non CA certificates).


-- 
Nikos Mavrogiannopoulos
reply via email to
[Prev in Thread] Current Thread [Next in Thread]