trusted intermediate CAs
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Nov 12 20:34:21 CET 2008
On Wed 2008-11-12 03:29:41 -0500, Simon Josefsson wrote:
> Btw, note that certtool -e does not use the same chain validation
> algorithm as the GnuTLS library uses -- I believe certtool -e would
> have rejected the faulty gnutls-sa-2008-3 chain.
Why does certtool not use the same validation technique used in the
library? Is this a deliberate design decision? Is there a simple
invocation i can use if i have a certificate chain (but no access to
the end entity's private key) and i want to see how the library would
treat it?
certtool --verify-chain seems like the obvious choice (just like i
expect "openssl verify" to faithfully exercise libssl behavior). What
am i missing? What is the advantage to having certtool run a
different set of tests?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20081112/4d767a56/attachment.pgp>
More information about the Gnutls-devel
mailing list