On 12/04/2014 01:48 PM, Ian Jackson wrote:
> Daniel Kahn Gillmor writes ("Re: curl and certificate verification in jessie"):
>> So, the idea is that when you "accept" an EE cert, you need to do it
>> with an explicit associate to a specific peer's name, not just the cert
>> itself. newer versions of GnuTLS provide this facility, but it's not
>> the traditional (and potentially dangerous) "here's a package of certs
>> i'm OK with" interface that it was before. And of course that interface
>> isn't used by curl yet.
>
> How about the following change to GnuTLS: if _all_ of the supplied
> certificates are EE certificates (eg, have the critical CA constraint
> set to false), we disable this check ?
>
> In that situation it is clear that the caller is not trying to use the
> X.509 CA infrastructure at all and has been `abusing' the CA interface
> to provide the expected public keys directly.
thanks, that's a very interesting idea. I'll bring it up with upstream.
It seems to narrowly solve the case in question, but possibly at the
risk of making the semantics of the API even more confusing than it
already is.
--kg
Attachment:
signature.asc
Description: OpenPGP digital signature