trusted intermediate CAs

Daniel Kahn Gillmor dkg at
Thu Nov 13 00:27:39 CET 2008

On Wed 2008-11-12 16:41:32 -0500, Nikos Mavrogiannopoulos wrote:

> the library doesn't export any high level verification function to
> verify certificate chains.

What about gnutls_x509_crt_list_verify() and
gnutls_certificate_verify_peers2() ?  The latter is used in src/srv.c
and srv/cli.c, and i think it calls the former under the hood (using
data from the TLS session to fill in the specific parameters).

Those seem like high-level functions to verify certificate chains to
me.  Did you mean something else?

> I expected applications to use their own and that's what certtool it
> does.

_verify_x509_mem() in certtool.c looks like it implements a very
similar goal to the goal addressed by gnutls_x509_crt_list_verify().
If there is an alternate validation method that might be superior to
gnutls_x509_crt_list_verify(), why not fold it into that function?

If the alternate method raises DoS or resource consumption concerns,
the library could offer it as an alternative function, so that
GnuTLS-based tools in non-DoS-sensitive environments could take
advantage of it.

I think it would be really useful to have certtool reflect the
internal workings of GnuTLS as closely as possible, not least for the
sake of providing tools to help admins who are trying to debug/test
GnuTLS-based applications.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20081112/bf583f5d/attachment.pgp>

More information about the Gnutls-devel mailing list