[gnutls-help] Combining certificate verification mechanisms [was: Re: GnuTLS with TOFU verifies public keys, not certificates]

Jens Lechtenboerger jens.lechtenboerger at fsfe.org
Thu Apr 17 22:28:56 CEST 2014

On Thu, 17 Apr 2014 14:44:57 -0400, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> said:

> but if i connect using:
>  gnutls-cli --tofu www.google.com
> then i do see the certificate validation remark ("Status: The
> certificate is trusted.") but i am *also* prompted with the TOFU prompt.
>  If i say "no" on the TOFU prompt, the connection fails:
> Host www.google.com (https) has never been contacted before.
> Its certificate is valid for www.google.com.
> Are you sure you want to trust it? (y/N): n
> *** Fatal error: Error in the certificate.
> *** Handshake has failed
> GnuTLS error: Error in the certificate.
> 1 dkg at alice:~$

The above is precisely what I want.

Nikos wrote that the idea of TOFU was to trust even if PKI fails.

I use TOFU as I consider PKI to be broken.  Why should I trust PKI
with its assertion “Its certificate is valid for www.google.com”?

Best wishes

More information about the Gnutls-help mailing list