On Thu, 2014-04-17 at 14:44 -0400, Daniel Kahn Gillmor wrote: > > but I suggest to extend the > > documentation, in particular, the man page of gnutls-cli: > > > > For --tofu, currently “in addition to certificate authentication”: > > This should probably read “instead of certificate authentication.” > > I agree that this change in documentation would match the current > behavior. I'm wondering, though, whether we want to change the behavior > to match the documentation. Both --tofu and --dane say "in addition to > certificate authentication", but only --dane seems to accept standard > X.509 certificate authentication as well. > even using "gnutls-cli --ca-verification --tofu www.example.org" doesn't > use certificate verification.
Actually it does, although it only prints the verification failure. It seems though that the certificate information is printed twice and thus the failure isn't easily seen. The idea was to allow the user to trust a self-signed certificate even if PKI failed. That means of course that tofu takes precedence over PKI and maybe that should be better documented. > > Alternatively, should ~/.gnutls/known_hosts also store the > > certificate’s fingerprint to detect such changes? > i don't think this is a good idea. what would the benefit be? I agree. A certificate contains a lot of information that may change over time such as e-mail, alternative dns names, legal name etc. (in addition to expiration dates). regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
