diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-12-29 13:11:32 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-12-29 13:11:32 +0200 |
commit | f0c04cbfd12d330df70ba9952084f4d7d3d0525b (patch) | |
tree | cc5cc489c68a787ea3167729bec6070021ebe959 /doc/cha-cert-auth.texi | |
parent | f01c3652d334e58dea92b75c061be41d77427968 (diff) | |
download | gnutls-f0c04cbfd12d330df70ba9952084f4d7d3d0525b.tar.gz |
Reorganization of the authentication chapter.
Diffstat (limited to 'doc/cha-cert-auth.texi')
-rw-r--r-- | doc/cha-cert-auth.texi | 38 |
1 files changed, 19 insertions, 19 deletions
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index afc3670d09..63ad6ccdb4 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -1,5 +1,5 @@ @node Certificate authentication -@chapter Certificate authentication +@section Certificate authentication @cindex certificate authentication The most known authentication method of @acronym{TLS} are certificates. @@ -65,7 +65,7 @@ to use this key exchange algorithm. @end menu @node X.509 certificates -@section @acronym{X.509} certificates +@subsection @acronym{X.509} certificates @cindex X.509 certificates The @acronym{X.509} protocols rely on a hierarchical trust model. In @@ -93,7 +93,7 @@ acceptable. The framework is illustrated on @ref{fig:x509}. @end menu @node X.509 certificate structure -@subsection @acronym{X.509} certificate structure +@subsubsection @acronym{X.509} certificate structure An @acronym{X.509} certificate usually contains information about the certificate holder, the signer, a unique serial number, expiration @@ -201,7 +201,7 @@ demonstrate the @acronym{X.509} parsing capabilities can be found in @ref{ex:x509-info}. @node Importing an X.509 certificate -@subsection Importing an X.509 certificate +@subsubsection Importing an X.509 certificate The certificate structure should be initialized using @funcref{gnutls_x509_crt_init}, and a certificate structure can be imported using @funcref{gnutls_x509_crt_import}. @@ -218,7 +218,7 @@ Note that although the functions above apply to @code{gnutls_x509_crt_t} structu exist for the CRL structure @code{gnutls_x509_crl_t}. @node X.509 distinguished names -@subsection X.509 distinguished names +@subsubsection X.509 distinguished names @cindex X.509 distinguished name The ``subject'' of an X.509 certificate is not described by @@ -247,7 +247,7 @@ to the contents of the distinguished name structure. @node X.509 public and private keys -@subsection Accessing public and private keys +@subsubsection Accessing public and private keys Each X.509 certificate contains a public key that corresponds to a private key. To get a unique identifier of the public key the @funcref{gnutls_x509_crt_get_key_id} @@ -262,7 +262,7 @@ The private key parameters may be directly accessed by using one of the followin @showfuncE{gnutls_x509_privkey_get_pk_algorithm2,gnutls_x509_privkey_export_rsa_raw2,gnutls_x509_privkey_export_ecc_raw,gnutls_x509_privkey_export_dsa_raw,gnutls_x509_privkey_get_key_id} @node Verifying X.509 certificate paths -@subsection Verifying @acronym{X.509} certificate paths +@subsubsection Verifying @acronym{X.509} certificate paths @cindex verifying certificate paths Verifying certificate paths is important in @acronym{X.509} @@ -293,7 +293,7 @@ are trusted for a particular server but not to authorize other certificates. This purpose is served by the functions @funcref{gnutls_x509_trust_list_add_named_crt} and @funcref{gnutls_x509_trust_list_verify_named_crt}. @node Verifying a certificate in the context of TLS session -@subsection Verifying a certificate in the context of TLS session +@subsubsection Verifying a certificate in the context of TLS session @cindex verifying certificate paths @tindex gnutls_certificate_verify_flags @@ -318,7 +318,7 @@ flags are part of the enumeration @node OpenPGP certificates -@section @acronym{OpenPGP} certificates +@subsection @acronym{OpenPGP} certificates @cindex OpenPGP certificates The @acronym{OpenPGP} key authentication relies on a distributed trust @@ -379,7 +379,7 @@ The expiration time of the subkey. @end float -@subsection @acronym{OpenPGP} certificate structure +@subsubsection @acronym{OpenPGP} certificate structure In @acronym{GnuTLS} the @acronym{OpenPGP} certificate structures @xcite{RFC2440} are handled using the @code{gnutls_openpgp_crt_t} type. @@ -421,7 +421,7 @@ The corresponding private keys are stored in the @code{gnutls_openpgp_privkey_t} type. All the prototypes for the key handling functions can be found in @file{gnutls/openpgp.h}. -@subsection Verifying an @acronym{OpenPGP} certificate +@subsubsection Verifying an @acronym{OpenPGP} certificate The verification functions of @acronym{OpenPGP} keys, included in @acronym{GnuTLS}, are simple ones, and do not use the features of the @@ -444,7 +444,7 @@ of verification status flags is the same as in the @acronym{X.509} certificates @showfuncdesc{gnutls_openpgp_crt_verify_self} -@subsection Verifying a certificate in the context of a TLS session +@subsubsection Verifying a certificate in the context of a TLS session Similarly with X.509 certificates, one needs to specify the OpenPGP keyring file in the credentials structure. The certificates @@ -454,7 +454,7 @@ to verify the signatures in the certificate sent by the peer. @showfuncdesc{gnutls_certificate_set_openpgp_keyring_file} @node Advanced certificate verification -@section Advanced certificate verification +@subsection Advanced certificate verification @cindex Certificate verification The verification of X.509 certificates in the HTTPS and other Internet protocols is typically @@ -466,11 +466,11 @@ other verification methods. In this section we list the available in GnuTLS meth @menu * Verifying a certificate using trust on first use authentication:: -* Verifying a certificate using DANE (DNSSEC):: +* Verifying a certificate using DANE:: @end menu @node Verifying a certificate using trust on first use authentication -@subsection Verifying a certificate using trust on first use authentication +@subsubsection Verifying a certificate using trust on first use authentication @cindex verifying certificate paths @cindex SSH-style authentication @cindex Trust on first use @@ -491,8 +491,8 @@ shown in @ref{Simple client example with SSH-style certificate verification}. See @ref{Certificate verification} on how to use the available functionality. -@node Verifying a certificate using DANE (DNSSEC) -@subsection Verifying a certificate using DANE (DNSSEC) +@node Verifying a certificate using DANE +@subsubsection Verifying a certificate using DANE (DNSSEC) @cindex verifying certificate paths @cindex DANE @cindex DNSSEC @@ -512,7 +512,7 @@ with GnuTLS and the function prototypes are in @code{gnutls/dane.h}. See @ref{Certificate verification} for information on how to use the library. @node Digital signatures -@section Digital signatures +@subsection Digital signatures @cindex digital signatures In this section we will provide some information about digital @@ -576,7 +576,7 @@ sometime in the future, SHA-1 will be disabled as well. The collision attacks on SHA-1 may also get better, given the new interest in tools for creating them. -@subsection Trading security for interoperability +@subsubsection Trading security for interoperability If you connect to a server and use GnuTLS' functions to verify the certificate chain, and get a @code{GNUTLS_CERT_INSECURE_ALGORITHM} |