curl and certificate verification in jessie

Thorsten Glaser t.glaser at
Fri Dec 5 10:10:48 UTC 2014

On Thu, 4 Dec 2014, Ian Jackson wrote:

> Each time you generate an EE key which you intend to use this way,

This assumes you can control the server key/cert you want to trust.

> Daniel Kahn Gillmor writes ("Re: curl and certificate verification in jessie"):
> > So, the idea is that when you "accept" an EE cert, you need to do it
> > with an explicit associate to a specific peer's name, not just the cert

Hm, why would trusting an EE certificate invalidate the name checking?
I can see it only disable the CA chain checking.

> How about the following change to GnuTLS: if _all_ of the supplied
> certificates are EE certificates (eg, have the critical CA constraint
> set to false), we disable this check ?

This sounds like it has lots of potential for people to accidentally
do that and don’t realise it. It also prohibits mixed setups (think,
almost-normal operation, you have a (possibly reduced) set of CAs you
want to trust, plus one or a couple of EE certificates, which are
special cases.

Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font.	-- Rob Pike in "Notes on Programming in C"

More information about the Pkg-gnutls-maint mailing list