Page MenuHome GnuPG

Cross signing certificate in X.509 support
Open, NormalPublic

Description

For the support of cross signing certificates, we need to fix our code for certificate validation in:

  • gpgsm
  • dirmngr (when used with NTBTLS for https)

Sample certificates are available:
https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/

And it is started to be used by Let's Encrypt migration, in September 2021.

https://security.stackexchange.com/questions/14043/what-is-the-use-of-cross-signing-certificates-in-x-509

https://ravendb.net/articles/how-cross-signing-works-with-x509-certificates

Event Timeline

I read OpenSSL implementation.
It does NOT implement backtracking.
In openssl/crypto/x509/x509_vfy.c, it has a function find_issuer which does:

  • exclude a issuer when it's already in ctx->chain (can avoid recursion forever)
  • prefer the first non-expired one, else take the most recently expired one.

This way, we can solve T2972 and T5639. Not sure for T5445.