[Help-gnutls] Is gnutls using the shell model or the chain model for a certificate validation

Scott Schaeffner sschaeffner at hotmail.com
Thu Nov 13 08:11:59 CET 2008

I meanwhile found a reference that uses the shell model validation without naming it explicitly as shell model.
Document rfc5280 "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" explains in section 6 the "Certification Path Validation".

Section  6.1.3. (a)(2) states that the timestamp of the validation(system date) has to be within the validity period of all certificates in the validation path.

It uses the validation method that was named "shell model" in the referenced presentation. Currently I do not have any references concerning the "chain" validation model, however as the presentation was made by the Bundesnetzagentur which is a state agency in Germany, I guess it is used.

The general question for us was which validation model shall we use for our implementation. We will go for the shell model that is also used in the rfc5280.

Thanks for all the comments concerning this issue. 
Connect to the next generation of MSN Messenger 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081113/1d23d7d3/attachment.htm>

More information about the Gnutls-help mailing list