Daiki Ueno commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/557#note_2015464532 I admit I do not fully understand the issue, but in the current implementation, "Certificate usage=2 (DANE-TA Trust anchor assertion)" is mapped to `DANE_CERT_USAGE_LOCAL_CA`, which is only checked without `--no-ca-verification` (i.e., `!(vflags & DANE_VFLAG_ONLY_CHECK_EE_USAGE)` [here](https://gitlab.com/gnutls/gnutls/-/blob/ef5a574e3acc358e2a6f7c4efaeb21bef15f9349/libdane/dane.c#L771)), and since all the certs have usage=2, loop ends without verification and returns `DANE_E_REQUESTED_DATA_NOT_AVAILABLE`. Do you think it should be also evaluated in EE only verification? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/557#note_2015464532 You're receiving this email because of your account on gitlab.com.
_______________________________________________ Gnutls-devel mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-devel
