[gnutls-devel] DANE validation
nmav at gnutls.org
Sun Feb 24 12:19:26 CET 2013
On 02/17/2013 10:20 PM, Gabor Toth wrote:
>> One could of course strictly follow the DANE RFC validation methods if
>> he needs to.
> The current API does not make it easy to do that. In case of usage 2, the trust
> anchor specified in the TLSA record should be used for PKIX path validation. In
> this case dane_verify_crt() could return the index of the certificate in the
> chain that matched as trust anchor, so that PKIX path validation could be
> performed up to that certificate in the chain, possibly using
> gnutls_x509_crt_verify() with the returned trust anchor as the CA_list argument.
I've checked it a bit further and I don't think that what you mention
above is needed. The DANE check verifies that the given chain satisfies
the DANE constraints (either certificate or CA). Then you can use normal
PKIX verification in the chain. Unless you need it for optimization
purposes, you don't need to know any index to perform the verification.
More information about the Gnutls-devel