[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: trusted intermediate CAs
From: |
Daniel Kahn Gillmor |
Subject: |
Re: trusted intermediate CAs |
Date: |
Wed, 12 Nov 2008 14:34:21 -0500 |
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) |
On Wed 2008-11-12 03:29:41 -0500, Simon Josefsson wrote:
> Btw, note that certtool -e does not use the same chain validation
> algorithm as the GnuTLS library uses -- I believe certtool -e would
> have rejected the faulty gnutls-sa-2008-3 chain.
Why does certtool not use the same validation technique used in the
library? Is this a deliberate design decision? Is there a simple
invocation i can use if i have a certificate chain (but no access to
the end entity's private key) and i want to see how the library would
treat it?
certtool --verify-chain seems like the obvious choice (just like i
expect "openssl verify" to faithfully exercise libssl behavior). What
am i missing? What is the advantage to having certtool run a
different set of tests?
--dkg
pgpuVKvw3o9cn.pgp
Description: PGP signature
- Re: The _gnutls_x509_verify_certificate fix, (continued)
- Re: The _gnutls_x509_verify_certificate fix, Sam Varshavchik, 2008/11/10
- Re: The _gnutls_x509_verify_certificate fix, Werner Koch, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- supporting out-of-process certificate validation [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
- Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
- Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
- Re: supporting out-of-process certificate validation, Simon Josefsson, 2008/11/12
- Re: supporting out-of-process certificate validation, Werner Koch, 2008/11/12
- trusted intermediate CAs [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
- Re: trusted intermediate CAs, Simon Josefsson, 2008/11/12
- Re: trusted intermediate CAs,
Daniel Kahn Gillmor <=
- Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/12
- Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
- Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/13