[gnutls-devel] GnuTLS | gnutls-cli - incomplete DANE support (#557)

[Development of GNU's TLS library]

> I personally _think_ gnutls-cli dane support is not very useful as it is, i.e. this is not a documentation issue but an incomplete feature.

I agree, but this was an intentional design decision. DANE was implemented as an additional certificate validation mechanism, rather than as the primary validation mechanism which will trigger PKIX validation if it says so.

> Let's assume I want to use gnutls-cli to check whether I have set up DANE correctly.
...
> However I think we agree that it does not make sense to implement these arcane (possibly changing) policies in gnutls-cli.

> I do think though that the above 1/2abc should not be necessary, assuming the TLS-A choice is correct gnutls-cli should be able to verify trust , taking DANE correctly into account.

I would not be against such an improvement.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/557#note_107010123
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181007/9af03f46/attachment-0001.html>