[Help-gnutls] Is gnutls using the shell model or the chain model for a certificate validation

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Nov 6 20:18:20 CET 2008


On Thu 2008-11-06 07:38:28 -0500, Scott Schaeffner wrote:

> gnupgp contains a parameter to determine which of these two certificate
> validation models (shell or chain - --validation-model) shall be used
> (http://gnupg.org/documentation/manuals/gnupg/Certificate-Options.html).

To be clear, this gpg documentation is in the "GPGSM Options" section,
so it refers to the X.509 certificates, not OpenPGP certificates,
correct?

> I was looking into the gnutls manual and did not find a statement
> concerning the validation model that is being used.

I don't see any clear notes on the page you linked explaining
specifically what "shell" and "chain" mean in this context.  However,
GnuTLS has several functions that can be used for X.509 certificate
validation:

 http://www.gnu.org/software/gnutls/manual/html_node/Verifying-X_002e509-certificate-paths.html
 http://www.gnu.org/software/gnutls/manual/html_node/X_002e509-certificate-functions.html

You should be able to use those functions to build a certificate
validation that meets your specific needs.  What are you trying to do?

           --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20081106/269dfa3a/attachment.pgp>


More information about the Gnutls-help mailing list