[gnutls-devel] GnuTLS | gnutls-cli - incomplete DANE support (#557)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sun Sep 16 18:30:21 CEST 2018

> That was intentional when DANE was implemented. I found the "trust anchor assertion" obsurd at
> the time. So the way it was implemented was for the validation intention/plan has to be
> specified by the user, not the server.

Browsing over the RFCs I agree that there is *some* client policy involved (e.g. MTAs my treat PKIX-TA/PKIX-EE as "unusable"). However with the current setup I am missing the expected result of a --dane option:

**X** Full DANE support, i.e. additional checking of ca-verification with PKIX-TA/PKIX-EE but not for DANE-TA/DANE-EE. Do the right thing with mixed/multiple TLSA records.

Instead gnutls-cli supports the following policies:
1. Ignore TLSA, no DANE support (--dane not specified)
2. Require DANE success in addition to ca-verification (--dane)
3. Treat PKIX-TA as if DANE-TA was set, treat PKIX-EE as if DANE-EE was used. (--dane --no-ca-verification)

I do not know what policies really make sense (apart from **X** and **1**) since I have not read all the RFCs. e.g. rfc7672 (SMTP) could use a policy to ignore PKIX-EE/PKIX-TA.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/557#note_101686429
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180916/db315b3e/attachment.html>

More information about the Gnutls-devel mailing list