[gnutls-devel] GnuTLS | gnutls-cli - incomplete DANE support (#557)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sun Sep 16 18:30:21 CEST 2018
> That was intentional when DANE was implemented. I found the "trust anchor assertion" obsurd at
> the time. So the way it was implemented was for the validation intention/plan has to be
> specified by the user, not the server.
Browsing over the RFCs I agree that there is *some* client policy involved (e.g. MTAs my treat PKIX-TA/PKIX-EE as "unusable"). However with the current setup I am missing the expected result of a --dane option:
**X** Full DANE support, i.e. additional checking of ca-verification with PKIX-TA/PKIX-EE but not for DANE-TA/DANE-EE. Do the right thing with mixed/multiple TLSA records.
Instead gnutls-cli supports the following policies:
1. Ignore TLSA, no DANE support (--dane not specified)
2. Require DANE success in addition to ca-verification (--dane)
3. Treat PKIX-TA as if DANE-TA was set, treat PKIX-EE as if DANE-EE was used. (--dane --no-ca-verification)
I do not know what policies really make sense (apart from **X** and **1**) since I have not read all the RFCs. e.g. rfc7672 (SMTP) could use a policy to ignore PKIX-EE/PKIX-TA.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/557#note_101686429
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel