trusted intermediate CAs

Daniel Kahn Gillmor dkg at
Wed Nov 12 20:34:21 CET 2008

On Wed 2008-11-12 03:29:41 -0500, Simon Josefsson wrote:

> Btw, note that certtool -e does not use the same chain validation
> algorithm as the GnuTLS library uses -- I believe certtool -e would
> have rejected the faulty gnutls-sa-2008-3 chain.

Why does certtool not use the same validation technique used in the
library?  Is this a deliberate design decision?  Is there a simple
invocation i can use if i have a certificate chain (but no access to
the end entity's private key) and i want to see how the library would
treat it?

certtool --verify-chain seems like the obvious choice (just like i
expect "openssl verify" to faithfully exercise libssl behavior).  What
am i missing?  What is the advantage to having certtool run a
different set of tests?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20081112/4d767a56/attachment.pgp>

More information about the Gnutls-devel mailing list