[Help-gnutls] Re: Is gnutls using the shell model or the chain model for a certificate validation

Simon Josefsson simon at josefsson.org
Thu Nov 13 09:35:37 CET 2008

Scott Schaeffner <sschaeffner at hotmail.com> writes:

> I meanwhile found a reference that uses the shell model validation without naming it explicitly as shell model.
> Document rfc5280 "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" explains in section 6 the "Certification Path Validation".
> Section  6.1.3. (a)(2) states that the timestamp of the validation(system date) has to be within the validity period of all certificates in the validation path.
> It uses the validation method that was named "shell model" in the referenced presentation. Currently I do not have any references concerning the "chain" validation model, however as the presentation was made by the Bundesnetzagentur which is a state agency in Germany, I guess it is used.
> The general question for us was which validation model shall we use for our implementation. We will go for the shell model that is also used in the rfc5280.

I think using the RFC 5280 algorithm won't be a bad choice.  At least
you can point at the RFC authors when someone discovers a logical flaw
in it. ;)


More information about the Gnutls-help mailing list