[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'

Ludovic Courtès ludo at chbouib.org
Mon May 14 09:25:03 CEST 2007


Hi,

Simon Josefsson <simon at josefsson.org> writes:

> ludo at chbouib.org (Ludovic Courtès) writes:

>> I was not expecting such behavior, though.  Roughly, I had copied my
>> OpenPGP example (where `GNUTLS_CERT_REQUIRE' worked fine) and replaced
>> "openpgp" with "x509".  The fact that we need to specify a trust file in
>> X.509 and not in the OpenPGP case for `GNUTLS_CERT_REQUIRE' to work
>> creates a slight asymmetry.
>
> I think the asymmetry can be traced back to the protocols.  Certificate
> requests with X.509 requires that the user cert matches the CA cert, but
> with OpenPGP such a check isn't applicable.

Right.

> I don't know whether it is OK for a client to send a X.509 client cert
> that doesn't match one of the authorities sent by the server.  Maybe
> that should be possible?

Sections 7.4.4 and 7.4.6 of RFC 4346 do not mention it explicitly, but
they seem to imply that a "suitable" certificate is one that matches
the "known roots and [...] desired authorization space" specified in the
`certificate_authorities' field of the certificate request.

Thanks,
Ludovic.








More information about the Gnutls-help mailing list