[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Test failure of ‘chainverify’

From: Nikos Mavrogiannopoulos
Subject: Re: Test failure of ‘chainverify’
Date: Thu, 11 Mar 2010 20:58:34 +0100
User-agent: Thunderbird (X11/20090817)

Ludovic Courtès wrote:
> Hello,
> The ‘chainverify’ test currently fails with the latest libtasn1 and
> libgcrypt:

Ok it seems that the test that verifies an expired trusted certificate
fails. That is because the current code considers trusted as ultimately
trusted even for the first certificate in the chain (the previous code
did that for all except for the first one- end user).

This uncovered an issue since there was no consistent treat of the
certificates in the trusted list. I believe the current behavior is fine
and rational (trust unconditionally anything in the trusted list), but
there might be arguments for not allowing weak algorithms and expired
certificates in the trusted list (or have additional flag(s) for them).

What do you think?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]