trusted intermediate CAs

Nikos Mavrogiannopoulos nmav at
Wed Nov 12 22:41:32 CET 2008

Daniel Kahn Gillmor wrote:
> On Wed 2008-11-12 03:29:41 -0500, Simon Josefsson wrote:
>> Btw, note that certtool -e does not use the same chain validation
>> algorithm as the GnuTLS library uses -- I believe certtool -e would
>> have rejected the faulty gnutls-sa-2008-3 chain.
> Why does certtool not use the same validation technique used in the
> library?  Is this a deliberate design decision? 

Yes. As I explained in a previous email, the library doesn't export any
high level verification function to verify certificate chains. I
expected applications to use their own and that's what certtool it does.

> Is there a simple
> invocation i can use if i have a certificate chain (but no access to
> the end entity's private key) and i want to see how the library would
> treat it?

No. The certtool interface is quite primitive and could be improved (say
support a trusted certificate list or more).


More information about the Gnutls-devel mailing list