[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: issues with OpenPGP certificate verification
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: issues with OpenPGP certificate verification |
|
Date: |
Mon, 21 Apr 2008 15:13:44 -0400 |
|
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux) |
Thanks for the quick feedback, Nikos.
On Mon 2008-04-21 14:34:35 -0400, Nikos Mavrogiannopoulos wrote:
> Daniel Kahn Gillmor wrote:
>
>> http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/31
>
> Currently gnutls-cli prints:
> # The hostname in the key does NOT match 'goodsite'.
yup. But without --insecure, the appropriate step would be to
terminate the connection, or else you leave the client open to an
unexpected MITM attack.
> However it seems that gnutls-cli is not any more a debugging
> tool. So it is a valid request to fail if the hostname doesn't
> match. (This also doesn't happen in the X.509 certificate case)...
Yikes! i hadn't tested the X.509 case, sorry.
> Simon could there be any issue with this change and gnus that use
> it?
I'm a gnus user, and hadn't realized that such a spoof wouldn't be
caught by gnutls-cli. I'd certainly prefer gnus to fail on a
hostname/certificate mismatch.
>> http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/32
>
> This is a current limitation of the API. If you have some suggestion
> on a verification function, I'd be glad to hear it. I'd be even more
> glad if you offered a patch for it, since it seems my time is quite
> limited lately.
If only we could unlimit all our times! I'll do what i can.
I'm going to propose a snippet of a .h file on the ticket, and if that
seems acceptable to you, then i'll go ahead and try to implement it.
Regards,
--dkg
pgpIaar8sgHtN.pgp
Description: PGP signature