[gnutls-devel] DANE validation
tg at tgbit.net
Sun Feb 17 17:09:49 CET 2013
I've taken a brief look at the DANE validation functionality GnuTLS provides.
It seems incomplete, even though from the documentation one might assume
otherwise. Problematic points I found so far:
- it does not do PKIX path validation, not even certificate signatures are
verified in the chain.
- in case of usage 0 & 2, only the direct issuer is checked instead of the
As described in the RFC, PKIX path validation should be performed either using the
trust anchor specified in the TLSA record (usage 2), or using the system trust
anchors (usage 0 & 1)
More information about the Gnutls-devel