On Thu, 2014-04-17 at 19:33 +0200, Jens Lechtenboerger wrote: > Hi there, > > as it took me a while to figure this out, I’d like to share this. > > One of my e-mail providers changed an IMAP certificate, and > mail-notification warned me about the new certificate with an > unknown fingerprint. Both certificates are issued by different CAs. > > Surprisingly, though, gnutls-cli with option --tofu did not complain > at all (same for --strict-tofu).
Hello Jens, In addition to what Daniel mentioned, I'd like to note that in TOFU you cannot trust the certificate nor any information within it. If for example the certificate provides alternative names, it would be a mistake to consider them, and it is only associated for the host you connected to (remember in tofu there are no signatures considered, so the certificate is just blurb the server sent). That's why it is not needed to store it nor complain if it changes. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
