curl and certificate verification in jessie
t.glaser at tarent.de
Fri Dec 5 10:10:48 UTC 2014
On Thu, 4 Dec 2014, Ian Jackson wrote:
> Each time you generate an EE key which you intend to use this way,
This assumes you can control the server key/cert you want to trust.
> Daniel Kahn Gillmor writes ("Re: curl and certificate verification in jessie"):
> > So, the idea is that when you "accept" an EE cert, you need to do it
> > with an explicit associate to a specific peer's name, not just the cert
Hm, why would trusting an EE certificate invalidate the name checking?
I can see it only disable the CA chain checking.
> How about the following change to GnuTLS: if _all_ of the supplied
> certificates are EE certificates (eg, have the critical CA constraint
> set to false), we disable this check ?
This sounds like it has lots of potential for people to accidentally
do that and don’t realise it. It also prohibits mixed setups (think,
almost-normal operation, you have a (possibly reduced) set of CAs you
want to trust, plus one or a couple of EE certificates, which are
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font. -- Rob Pike in "Notes on Programming in C"
More information about the Pkg-gnutls-maint