Daniel Kahn Gillmor writes ("Re: curl and certificate verification in jessie"):
> So, the idea is that when you "accept" an EE cert, you need to do it
> with an explicit associate to a specific peer's name, not just the cert
> itself. newer versions of GnuTLS provide this facility, but it's not
> the traditional (and potentially dangerous) "here's a package of certs
> i'm OK with" interface that it was before. And of course that interface
> isn't used by curl yet.
How about the following change to GnuTLS: if _all_ of the supplied
certificates are EE certificates (eg, have the critical CA constraint
set to false), we disable this check ?
In that situation it is clear that the caller is not trying to use the
X.509 CA infrastructure at all and has been `abusing' the CA interface
to provide the expected public keys directly.
Ian.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/21632.44185.191543.583...@chiark.greenend.org.uk
