Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g30

From:	Simon Josefsson
Subject:	Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a
Date:	Tue, 13 Jul 2010 19:13:31 +0200
User-agent:	Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)

"Nikos Mavrogiannopoulos" <address@hidden> writes:

> +  gnutls_certificate_set_verify_flags(xcred, 
> GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);

What was the reason for this change?  Do we want to do this
unconditionally?  Maybe we could introduce a --permit-v1-cas flag?  I'd
rather prefer to treat V1 CAs as broken-by-default...

Hm.  Generally, X.509 validation is quite complex, just like TLS
security policies.  I wonder if a X.509 priority string concept would be
useful?  Then the user could say --x509-priority
"NORMAL:+VERIFY_ALLOW_X509_V1_CA_CRT" to do the above.  Thoughts?  The
string could be used to modify how X.509 validation works in many ways.

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a, Simon Josefsson <=
- Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a, Nikos Mavrogiannopoulos, 2010/07/13
- Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a, Nikos Mavrogiannopoulos, 2010/07/13

Prev by Date: [sr #107409] The lack of built-in threading support is a critical design flaw
Next by Date: Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a
Previous by thread: [sr #107409] The lack of built-in threading support is a critical design flaw
Next by thread: Re: [SCM] GNU gnutls branch, gnutls_2_10_x, updated. gnutls_2_10_0-9-g301635a
Index(es):
- Date
- Thread