Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a

[Nikos Mavrogiannopoulos]

Simon Josefsson wrote:
> "Nikos Mavrogiannopoulos" <address@hidden> writes:
> 
>> +  gnutls_certificate_set_verify_flags(xcred, 
>> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
> 
> What was the reason for this change?  Do we want to do this
> unconditionally?  Maybe we could introduce a --permit-v1-cas flag?  I'd
> rather prefer to treat V1 CAs as broken-by-default...

There is no practical problem with having V1 root CAs, the problem is
with the intermediate (untrusted) and this flag allows only root CAs. If
disabled it fails to verify a large fraction of any root CA list. A flag
that would disallow them would offer the functionality you say, but I
don't think it should be the default (not today with this large set of
V1 CAs at least).

> Hm.  Generally, X.509 validation is quite complex, just like TLS
> security policies.  I wonder if a X.509 priority string concept would be
> useful?  Then the user could say --x509-priority
> "NORMAL:+VERIFY_ALLOW_X509_V1_CA_CRT" to do the above.  Thoughts?  The
> string could be used to modify how X.509 validation works in many ways.

There one would like to have some standard validation policies that are
easy to grasp, rather than the complex flags. Maybe combined with a
better verification subsystem than the simple one we have.

regards,
Nikos