Fwd: Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users

Richard Moore rich at kde.org
Mon May 7 21:30:10 CEST 2012


On 7 May 2012 17:15, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On 05/07/2012 12:35 PM, Richard Moore wrote:
>
>
>>> Are there ways to identify the trust purpose of those certificates?
>>> Is there any intention to standardize something like that, so we don't
>>> end up with our own trust?
>>
>> All the certs are trusted for all purposes in this scheme (subject to
>> the keyusage flags they contain).
>
>
> The problem is that there is no particular scheme and the keyusage
> flags are set by the CA, not by the one who trusts the certificate.
> Because verisign has a certificate that says it is appropriate for
> signing e-mail, it doesn't mean that I want to trust it.

Yes, I understand what you're asking for and that's not something
that's supported. NSS has a more complete facility for this sort of
thing using a Berkeley db of certs, but iirc that's only used by
firefox and isn't actually supported by tools like thunderbird. I
think this is basically an area where there's no real support at all
under linux (and to be honest isn't something most users need or have
the ability to configure).

Cheers

Rich.




More information about the Gnutls-devel mailing list