[gnutls-devel] DANE validation
Gabor Toth
tg at tgbit.net
Sun Feb 17 17:09:49 CET 2013
Hi,
I've taken a brief look at the DANE validation functionality GnuTLS provides.
It seems incomplete, even though from the documentation one might assume
otherwise. Problematic points I found so far:
- it does not do PKIX path validation, not even certificate signatures are
verified in the chain.
- in case of usage 0 & 2, only the direct issuer is checked instead of the
whole chain
As described in the RFC[1], PKIX path validation should be performed either using the
trust anchor specified in the TLSA record (usage 2), or using the system trust
anchors (usage 0 & 1)
-tg
[1] https://tools.ietf.org/html/rfc6698#section-2.1.1
More information about the Gnutls-devel
mailing list