On Fri, Feb 21, 2014 at 04:54:04PM -0500, Stephen Nightingale wrote:
> >So results from GnuTLS DANE verification can be misleading.
>
> I should point out that I am not using GnuTLS idea of DANE
> verification. I'm getting the cert chain passed up and doing my own
> DANE verification. For this purpose I had to modify the
> python-gnutls-1.2.5 interface to GnuTLS, to pass in a certificate
> chain, since in the download it only passes in a single end cert.
OK, but with DANE-TA(2) now you have the rather difficult task of
performing PKIX validation of a complete trust chain. I forget
what your approach was for this. Are you checking all the expiration
dates, signatures, basic constraints, name constraints, pathlength
constraints, performing name checks, ... That's a lot of difficult
code.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
