On Wednesday 24 August 2005 17:58, Martin Lambers wrote: > > * Note that some commonly used X.509 Certificate Authorities are > > * still using Version 1 certificates. If you want to accept them, > > * you need to call gnutls_certificate_set_verify_flags() with, e.g., > > * %GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT parameter. > What is the reason why Version 1 certificates are not accepted by > default? Is it safe to always set the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT > flag?
In general it is not. A v1 certificate does not contain information about its status (ca, person etc). You may think that this is not that bad since this is a trusted list anyway. The problem arises when people add single non-ca certificates to this list. Say someone may add a certificate of a web site there. This should have the effect of this certificate to be able to certify others. This is not desirable. (the proper solution would be though not to use the trusted list for these non CA certificates). -- Nikos Mavrogiannopoulos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
