On Wed, Oct 31, 2012 at 9:22 AM, Daniel Kahn Gillmor <[email protected]> wrote: > The attached message was sent earlier this year to oss-security, > implying that gnutls does not properly honor pathLenConstraint: > http://openwall.com/lists/oss-security/2012/06/27/5 > I'm unable to replicate the reported results with GnuTLS 2.8.6 (debian > squeeze), 3.0.22 (debian sid) or 3.1 (debian experimental). > What i see is (sid and experimental): > 0 dkg@pip:/tmp/certtest$ cat local-cert.pem Mengsk.pem > sms.hallym.ac.kr.pem CA134040001.pem GPKIRootCA.pem | certtool -e > Loaded 5 certificates, 1 CAs and 0 CRLs > Subject: C=KR,O=Government of Korea,OU=GPKI,CN=CA134040001 > Issuer: C=KR,O=Government of Korea,OU=GPKI,CN=GPKIRootCA > Output: Not verified.
I haven't checked why the verification fails, but he is right that we don't honor the pathLenConstrains and the CertSign and CRLsign keyUsage bits for CAs. The issue with being strict on X.509 verification is that if other implementations aren't people think it is a bug. We had that when we enforced the keyUsage bits for digital signature and encryption. It would be good to enforce those restrictions though. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
