Re: [Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file

From:	Nikos Mavrogiannopoulos
Subject:	Re: [Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file
Date:	Thu, 11 May 2006 21:50:26 +0200
User-agent:	KMail/1.9.1

On Thu 11 May 2006 21:22, Simon Josefsson wrote:

> > The documentation implies that the CRL should be verified
> > beforehand, but I'm not sure what this means.  I know for sure that
> > it does not check dates; does it check the CRL's signature against
> > the loaded root CA cert?
>
> No, I don't think so.  You'll have to verify that beforehand.  This
> should probably be fixed, patches welcome.

Indeed. However the idea is to check the CRL on reception and not
every time it is used. That's why it is not done in that function.

> > If not, does the API provide a way to extract the loaded CRL from
> > the credentials structure and do the checking?
> Hm, I can't find any API for that.  Nikos?

No there isn't, but why extract the loaded CRL, and not verify it
before you load it? (with the gnutls_x509_crl_* functions)

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file, Simon Josefsson, 2006/05/11
- Re: [Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file, Nikos Mavrogiannopoulos <=

Prev by Date: [Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file
Next by Date: [Help-gnutls] Certs directory for peer certificate validation
Previous by thread: [Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file
Next by thread: [Help-gnutls] Certs directory for peer certificate validation
Index(es):
- Date
- Thread