Fwd: Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon May 7 18:15:54 CEST 2012


On 05/07/2012 12:35 PM, Richard Moore wrote:


>> Are there ways to identify the trust purpose of those certificates?
>> Is there any intention to standardize something like that, so we don't
>> end up with our own trust?
> 
> All the certs are trusted for all purposes in this scheme (subject to
> the keyusage flags they contain).


The problem is that there is no particular scheme and the keyusage
flags are set by the CA, not by the one who trusts the certificate.
Because verisign has a certificate that says it is appropriate for
signing e-mail, it doesn't mean that I want to trust it.

regards,
Nikos





More information about the Gnutls-devel mailing list