Re: trusted intermediate CAs

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: trusted intermediate CAs

From:	Daniel Kahn Gillmor
Subject:	Re: trusted intermediate CAs
Date:	Wed, 12 Nov 2008 14:34:21 -0500
User-agent:	Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)

On Wed 2008-11-12 03:29:41 -0500, Simon Josefsson wrote:

> Btw, note that certtool -e does not use the same chain validation
> algorithm as the GnuTLS library uses -- I believe certtool -e would
> have rejected the faulty gnutls-sa-2008-3 chain.

Why does certtool not use the same validation technique used in the
library?  Is this a deliberate design decision?  Is there a simple
invocation i can use if i have a certificate chain (but no access to
the end entity's private key) and i want to see how the library would
treat it?

certtool --verify-chain seems like the obvious choice (just like i
expect "openssl verify" to faithfully exercise libssl behavior).  What
am i missing?  What is the advantage to having certtool run a
different set of tests?

  --dkg

pgpuVKvw3o9cn.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: The _gnutls_x509_verify_certificate fix, (continued)
- Re: The _gnutls_x509_verify_certificate fix, Sam Varshavchik, 2008/11/10
  - Re: The _gnutls_x509_verify_certificate fix, Werner Koch, 2008/11/11
  - Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
    - supporting out-of-process certificate validation [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
    - Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
    - Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
    - Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
    - Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
    - trusted intermediate CAs [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
    - Re: trusted intermediate CAs, Simon Josefsson, 2008/11/12
    - Re: trusted intermediate CAs, Daniel Kahn Gillmor <=
    - Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/12
    - Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
    - Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/13

Prev by Date: Re: The _gnutls_x509_verify_certificate fix
Next by Date: Re: rfc5081 update
Previous by thread: Re: trusted intermediate CAs
Next by thread: Re: trusted intermediate CAs
Index(es):
- Date
- Thread