[EMAIL PROTECTED] (Ludovic Courtès) writes: >> I don't know whether it is OK for a client to send a X.509 client cert >> that doesn't match one of the authorities sent by the server. Maybe >> that should be possible? > > Sections 7.4.4 and 7.4.6 of RFC 4346 do not mention it explicitly, but > they seem to imply that a "suitable" certificate is one that matches > the "known roots and [...] desired authorization space" specified in the > `certificate_authorities' field of the certificate request.
I just noticed that GnuTLS allows sending a user-selected certificate via the certificate callback interface -- I authenticated using my eID smart card against test.gnutls.org, and it certainly doesn't have the eID CA cert installed. I think this sounds like a good situation. The application can provide many user credentials, and GnuTLS will pick one of them that matches the CA information sent from the server. It won't pick one of them if none of them matches the CA information. If the application wants to decide for itself which certificate to send, and possibly send one that doesn't match any CA sent by the server, it has to use the callback interface. /Simon _______________________________________________ Help-gnutls mailing list Help-gnutls@gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls
