On Mon, 2014-09-08 at 23:26 -0700, Adam Williamson wrote: > On Mon, 2014-09-08 at 09:00 -0500, Michael Catanzaro wrote: > > On Mon, 2014-09-08 at 10:06 +0200, Nikos Mavrogiannopoulos wrote: > > > Unfortunately only NSS works. Both openssl and gnutls fail to connect to > > > popular sites because of that change. It should not be assumed that the > > > users of ca-certificates are only programs using nss. > > > > [1] is an interesting read. I get the impression that certificates are > > being removed as long as there is a compatible replacement that NSS can > > validate, based on NSS's custom strategies for certificate validation. > > Is this claim accurate? > > "Custom strategies" is an interesting concept. AFAICS, the TLS standard: > > http://tools.ietf.org/html/rfc5246 > > does not exactly define 'standard' certificate verification strategies, > so in a sense, they're *all* "custom". In other words, we're in good old > Standard Ambiguity Land here. What that doc has to say about chains, > AFAICS, is: You are referring to wrong document. Certificate validation is outside the scope of TLS, and as you already notice it only mentions the format of the chain and nothing more. A Certificate Path validation algorithm is defined in RFC5280 by the PKIX working group which is (or was) the relevant group for X.509 certificates in IETF. That is the only path validation algorithm described in a standard, and although no-one is required to support that, it pretty much defines the base-line. Our ca-certificates (in testing) would fail to connect to amazon.com if the RFC5280 validation is used, as it removed a root which is still active and used by popular domains. So it may be that everyone uses a slightly different verification algorithm, but we should expect at least the base-line to work. We should not require software to be NSS. regards, Nikos -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
