[prev in list] [next in list] [prev in thread] [next in thread]
List: gnutls-dev
Subject: [gnutls-dev] Re: gnutls_certificate_verify_peers2() does not handle
From: Simon Josefsson <jas () extundo ! com>
Date: 2005-06-03 15:33:26
Message-ID: iluacm7lak9.fsf () latte ! josefsson ! org
[Download RAW message or body]
Rupert Kittinger <rkit@mur.at> writes:
> On Fri, 3 Jun 2005, Simon Josefsson wrote:
>
>> Rupert Kittinger <rkit@mur.at> writes:
>>
>> > Hi everybody,
>> >
>> > I think the x509 certificate check performed by
>> > gnutls_certificate_verify_peers2() is not sufficient, because it does not
>> > validate the various time constraints (activation/expiration of
>> > certificates, CAs, CRLs).
>>
>> Right. That is intentional, even if it is unfortunate.
>>
>> Did you see the example in section 7.3.4 of the manual? It try to do
>> a bit more. Full verification of a certificate is application and
>> purpose dependent, so it is difficult to generalize.
>>
>
> I am quite aware of this. However, a lot of users of a library like
> this will not have detailed knowledge of X509 (and all its incarnations,
> sigh) and would profit from a "better safe than sorry" approach. Also, a
> detailed description of the algorithm used in the manual would be a great,
> if only for its educational value :-)
Right, and I agree. It would be useful to have the algorithm in the
gnutls_certificate_verify_peers3 function documentation; then it would
end up in the manual, and would be easy to validate against the source
code.
> I hope I find the time to do this. Maybe some other people reading this
> list care to provide feedback on an improved certificate validation
> algorithm?
I hope so too. As for implementation, taking what's in the 7.3.4
example and making a GnuTLS API function of it should be a good start.
The details in the algorithm can be enhanced further on.
Cheers,
Simon
_______________________________________________
Gnutls-dev mailing list
Gnutls-dev@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnutls-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic