|
From: | Simon Josefsson |
Subject: | [Help-gnutls] Re: Is gnutls using the shell model or the chain model for a certificate validation |
Date: | Thu, 13 Nov 2008 09:35:37 +0100 |
User-agent: | Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux) |
Scott Schaeffner <address@hidden> writes: > I meanwhile found a reference that uses the shell model validation without > naming it explicitly as shell model. > Document rfc5280 "Internet X.509 Public Key Infrastructure Certificate and > Certificate Revocation List (CRL) Profile" explains in section 6 the > "Certification Path Validation". > > Section 6.1.3. (a)(2) states that the timestamp of the validation(system > date) has to be within the validity period of all certificates in the > validation path. > > It uses the validation method that was named "shell model" in the referenced > presentation. Currently I do not have any references concerning the "chain" > validation model, however as the presentation was made by the > Bundesnetzagentur which is a state agency in Germany, I guess it is used. > > The general question for us was which validation model shall we use for our > implementation. We will go for the shell model that is also used in the > rfc5280. I think using the RFC 5280 algorithm won't be a bad choice. At least you can point at the RFC authors when someone discovers a logical flaw in it. ;) /Simon
[Prev in Thread] | Current Thread | [Next in Thread] |