[gnutls-devel] [PATCH V3] Check for all error conditions when verifying a certificate

[Nikos Mavrogiannopoulos]

On Wed, Sep 17, 2014 at 4:19 PM, Armin Burgmeier <armin at arbur.net> wrote:

>> So with your patch you'll get the status up to the point of first
>> failure. If the failure is in step 1 you'll get the full status for
>> CA->CA1 verification, but no flag will apply on ENDCERT. In your case
>> I think you verify against the scenario: CA -> ENDCERT, so you get
>> some reasonable flags. I don't know how reasonable these would be if
>> you are in a multiple CA scenario. Still it may make sense to do that
>> (in that case I should document that correctly), and I'm not sure
>> whether getting the flags of the 3 steps combined would offer much of
>> an advantage as they refer to multiple certificates. What do you think
>> of that? Is the current situation reasonable for your use case?
> Yes, I think it is reasonable. As you say in the scenario with
> intermediate CAs, the verification flags would be for multiple
> verifications combined, and therefore still lack some information. I
> think it is fine if it is documented that:
> a) the verification procedure stops if a failure has been found with one
> certificate in the chain.
> b) in that case all issues with that particular certificate are
> reported.
> c) the verification order starts from CA->CA1, then CA1->CA2, ..., then
> CAn -> ENDCERT
> d) if people need to know more details, they should run the verification
> for each certificate in the chain individually.

I've applied the patch as well some documentation in master. The plan
is to be included in the 3.4.0 branch.

regards,
Nikos