On Fri, 2014-10-31 at 16:11 +0100, Reindl Harald wrote: > > Are you sure that this is the case with the current package? My F21 can > > no longer connect to network to test, but gnutls in it should > > reconstruct the chain similarly to what nss does (not very similarly to > > be precise but the end result should be the same). If it is not the case > > please report it as bug and I'll check it out. > > the point is that if somebody buys a certificate for 6 years he may have > a checklist when to change them and if some 3rd party decides to remove > the CA certificate -> game over for users of that 3rd party > > from where will you "reconstruct the chain"? > * webserver a) has a certificate for 6 years > * the issuer is CA b) which you remove
I'm also not particularly fond of this approach as it adds complexity to an otherwise very complex protocol. However, in gnutls an alternative certificate path is calculated if there is a trusted certificate which has the same name as the issuer of a CA certificate in the path, and it also has the same key. This is the particular case that Kai refers to. For example in that case, a verisign intermediate certificate was removed, and replaced with a root CA certificate, that has the same DN, and the same key. regards, Nikos -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
