[gnutls-help] Combining certificate verification mechanisms [was: Re: GnuTLS with TOFU verifies public keys, not certificates]
Jens Lechtenboerger
jens.lechtenboerger at fsfe.org
Thu Apr 17 22:28:56 CEST 2014
On Thu, 17 Apr 2014 14:44:57 -0400, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> said:
> but if i connect using:
>
> gnutls-cli --tofu www.google.com
>
> then i do see the certificate validation remark ("Status: The
> certificate is trusted.") but i am *also* prompted with the TOFU prompt.
> If i say "no" on the TOFU prompt, the connection fails:
>
> Host www.google.com (https) has never been contacted before.
> Its certificate is valid for www.google.com.
> Are you sure you want to trust it? (y/N): n
> *** Fatal error: Error in the certificate.
> *** Handshake has failed
> GnuTLS error: Error in the certificate.
> 1 dkg at alice:~$
The above is precisely what I want.
Nikos wrote that the idea of TOFU was to trust even if PKI fails.
I use TOFU as I consider PKI to be broken. Why should I trust PKI
with its assertion “Its certificate is valid for www.google.com”?
Best wishes
Jens
More information about the Gnutls-help
mailing list