[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSM certificate prompt

From: Michael Albinus
Subject: Re: NSM certificate prompt
Date: Sun, 14 Dec 2014 13:52:10 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)

Ted Zlatanov <address@hidden> writes:

> While CRL support is a good way to deal with this in general, I still
> think giving the user the option to manage their trustfiles is valuable.
> But we should definitely try to support CRLs or DANE more urgently,
> rather than expecting the user to manage trustfiles and certificate
> revocations.

CRLs are a good thing, in theory. But they work only when you are
online, and when you are able to retrieve a proper CRL from the CA. If
the CA is blocked by whatever means, CRLs don't work.

DANE uses an indepedent way in order to give you trust into a given
certificate (via DNSSec). However, I don't know how much it is supported
already, by both the servers and by gnutls as client.

I do not object to support CRLs and DANE, but we shouldn't expect
perfect trust then.

> Ted

Best regards, Michael.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]