[Help-gnutls] Re: CA cert verification

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Aug 24 19:48:37 CEST 2005

On Wednesday 24 August 2005 17:58, Martin Lambers wrote:

> >   * Note that some commonly used X.509 Certificate Authorities are
> >   * still using Version 1 certificates.  If you want to accept them,
> >   * you need to call gnutls_certificate_set_verify_flags() with, e.g.,
> >   * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter.
> What is the reason why Version 1 certificates are not accepted by
> default? Is it safe to always set the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT
> flag?

In general it is not. A v1 certificate does not contain information about its
status (ca, person etc).  You may think that this is not that bad since this 
is a trusted list anyway.

The problem arises when people add single non-ca certificates to this list.
Say someone may add a certificate of a web site there. This should have the
effect of this certificate to be able to certify others. This is not 
desirable. (the proper solution would be though not to use the trusted list 
for these non CA certificates).

Nikos Mavrogiannopoulos

More information about the Gnutls-help mailing list