[Help-gnutls] Re: Is gnutls using the shell model or the chain model for a certificate validation
Simon Josefsson
simon at josefsson.org
Mon Nov 10 12:30:24 CET 2008
Scott Schaeffner <sschaeffner at hotmail.com> writes:
> Hello,
>
> Here the message (response to gnu.org #388183) I'd like to post:
> ----------------------------------------------------------------
>>I don't see any clear notes on the page you linked explaining
>>specifically what "shell" and "chain" mean in this context.
>
>
>
> The power point presentation http://www.bundesnetzagentur.de/media/archive/1894.pps#259 shows the differences concerning the two different validation models.
>
>
>
> I furthermore found a note that indicates that in germany the chain model is required (http://www.adobe.com/devnet/acrobat/pdfs/admin_guide.pdf section 5.4.4.2)
>
>
>
> I did not have a detailed look into the implementation yet, so I am not
> sure if gnutls offers one function for a certificate chain validation
> or if you have to implement the verification of the chain on your own
> and gnutls only offers the functions for that.
I'm not sure I understand the difference between the shell vs chain
models based on that powerpoint, but I can say that there is only one
algorithm implemented in gnutls for x.509 validation, and it validates
X.509 paths in a chaining way. Whether that matches what you are
looking for is not clear to me. You can read the code in
lib/x509/verify.c.
/Simon
More information about the Gnutls-help
mailing list