Test failure of ‘chainverify’

Tomas Mraz tmraz at redhat.com
Fri Mar 12 09:45:17 CET 2010

On Thu, 2010-03-11 at 20:58 +0100, Nikos Mavrogiannopoulos wrote: 
> Ludovic Courtès wrote:
> > Hello,
> > 
> > The ‘chainverify’ test currently fails with the latest libtasn1 and
> > libgcrypt:
> Ok it seems that the test that verifies an expired trusted certificate
> fails. That is because the current code considers trusted as ultimately
> trusted even for the first certificate in the chain (the previous code
> did that for all except for the first one- end user).
> This uncovered an issue since there was no consistent treat of the
> certificates in the trusted list. I believe the current behavior is fine
> and rational (trust unconditionally anything in the trusted list), but
> there might be arguments for not allowing weak algorithms and expired
> certificates in the trusted list (or have additional flag(s) for them).
> What do you think?

I think you know my opinion, because this was one of my reasons why I've
proposed the patch which implements the current behavior. I do not think
that certificates which are directly on the trusted list should be
rejected if they are expired or signed with a weak algorithm. There
might be a slight argument for the expiry check because the expiration
might happen behind the notice of the user who put it to the trusted
list and arguably the expiration time signals that the
private-key/certificate should not be used after the time. However for
the weak algorithm check there is no reason at all because the signature
of the certificate is not relevant if we trust the public-key of the
certificate directly.

Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

More information about the Gnutls-devel mailing list