[gnutls-devel] DANE validation

Gabor Toth tg at tgbit.net
Sun Feb 17 17:09:49 CET 2013


I've taken a brief look at the DANE validation functionality GnuTLS provides.
It seems incomplete, even though from the documentation one might assume
otherwise. Problematic points I found so far:

- it does not do PKIX path validation, not even certificate signatures are
  verified in the chain.
- in case of usage 0 & 2, only the direct issuer is checked instead of the
  whole chain

As described in the RFC[1], PKIX path validation should be performed either using the
trust anchor specified in the TLSA record (usage 2), or using the system trust
anchors (usage 0 & 1)


[1] https://tools.ietf.org/html/rfc6698#section-2.1.1

More information about the Gnutls-devel mailing list