Test failure of ‘chainverify’

Ludovic Courtès ludo at gnu.org
Thu Mar 11 21:35:08 CET 2010


Hi Nikos,

Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:

> Ludovic Courtès wrote:
>> Hello,
>> 
>> The ‘chainverify’ test currently fails with the latest libtasn1 and
>> libgcrypt:
>
> Ok it seems that the test that verifies an expired trusted certificate
> fails. That is because the current code considers trusted as ultimately
> trusted even for the first certificate in the chain (the previous code
> did that for all except for the first one- end user).
>
> This uncovered an issue since there was no consistent treat of the
> certificates in the trusted list. I believe the current behavior is fine
> and rational (trust unconditionally anything in the trusted list), but
> there might be arguments for not allowing weak algorithms and expired
> certificates in the trusted list (or have additional flag(s) for them).
>
> What do you think?

Not much.  :-)

I’m not an X509 person and definitely not a fan of hierarchical trust
models with holly certification authorities.

In the context of OpenPGP I’d say that verifying certificates is really
user- and/or application-dependent.  For instance, some might want to
take expiration dates into account while others might not care (after
all, a time stamp in an OpenPGP public key doesn’t mean much.)

For X509 it may be that the best that can be done is to follow the
spirit of the standard, however questionable it may be.

My 2¢...

Thanks,
Ludo’.





More information about the Gnutls-devel mailing list