help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: Is gnutls using the shell model or the chain model for

From: Simon Josefsson
Subject: [Help-gnutls] Re: Is gnutls using the shell model or the chain model for a certificate validation
Date: Mon, 10 Nov 2008 12:30:24 +0100
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) 
Scott Schaeffner <address@hidden> writes:

> Hello,
>
> Here the message (response to gnu.org #388183) I'd like to post:
> ----------------------------------------------------------------
>>I don't see any clear notes on the page you linked explaining
>>specifically what "shell" and "chain" mean in this context.
>
>  
>
> The power point presentation 
> http://www.bundesnetzagentur.de/media/archive/1894.pps#259 shows the 
> differences concerning the two different validation models.
>
>  
>
> I furthermore found a note that indicates that in germany the chain model is 
> required (http://www.adobe.com/devnet/acrobat/pdfs/admin_guide.pdf section 
> 5.4.4.2)
>
>  
>
> I did not have a detailed look into the implementation yet, so I am not
> sure if gnutls offers one function for a certificate chain validation
> or if you have to implement the verification of the chain on your own
> and gnutls only offers the functions for that.

I'm not sure I understand the difference between the shell vs chain
models based on that powerpoint, but I can say that there is only one
algorithm implemented in gnutls for x.509 validation, and it validates
X.509 paths in a chaining way.  Whether that matches what you are
looking for is not clear to me.  You can read the code in
lib/x509/verify.c.

/Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]