[gnutls-devel] DANE validation
nmav at gnutls.org
Sun Feb 17 20:32:51 CET 2013
On Sun, Feb 17, 2013 at 5:09 PM, Gabor Toth <tg at tgbit.net> wrote:
> I've taken a brief look at the DANE validation functionality GnuTLS provides.
> It seems incomplete, even though from the documentation one might assume
> otherwise. Problematic points I found so far:
What you consider an issue, is intentional. The DANE protocol (which
is supposedly DNS-Based Authentication of Named Entities), tries to
enforce methods of authentication that are unrelated to DNS. The DANE
implementation of gnutls is restricted to the DNS validation aspect
only. If one would like to do PKIX validation he can do it, but not
through the DANE subsystem.
You may see reasoning behind that at:
> - in case of usage 0 & 2, only the direct issuer is checked instead of the
> whole chain
That's also intentional. What scenario do you have in mind that is not
covered by the current case?
> As described in the RFC, PKIX path validation should be performed either using the
> trust anchor specified in the TLSA record (usage 2), or using the system trust
> anchors (usage 0 & 1)
In gnutls DANE validation is independent to other certificate
validation methods. One can do PKIX validation, DANE (as DNS-based),
TOFU (trust on first use) or any combination of them.
One could of course strictly follow the DANE RFC validation methods if
he needs to.
More information about the Gnutls-devel