On 7 May 2012 17:15, Nikos Mavrogiannopoulos <[email protected]> wrote: > On 05/07/2012 12:35 PM, Richard Moore wrote: > > >>> Are there ways to identify the trust purpose of those certificates? >>> Is there any intention to standardize something like that, so we don't >>> end up with our own trust? >> >> All the certs are trusted for all purposes in this scheme (subject to >> the keyusage flags they contain). > > > The problem is that there is no particular scheme and the keyusage > flags are set by the CA, not by the one who trusts the certificate. > Because verisign has a certificate that says it is appropriate for > signing e-mail, it doesn't mean that I want to trust it.
Yes, I understand what you're asking for and that's not something that's supported. NSS has a more complete facility for this sort of thing using a Berkeley db of certs, but iirc that's only used by firefox and isn't actually supported by tools like thunderbird. I think this is basically an area where there's no real support at all under linux (and to be honest isn't something most users need or have the ability to configure). Cheers Rich. _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
