[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: supporting out-of-process certificate validation
From: |
Werner Koch |
Subject: |
Re: supporting out-of-process certificate validation |
Date: |
Wed, 12 Nov 2008 11:52:08 +0100 |
User-agent: |
Gnus/5.110007 (No Gnus v0.7) |
On Wed, 12 Nov 2008 10:13, address@hidden said:
> I'm not sure exactly what the DoS attacks are here. The obvious one is
> when the attacker sends a long X.509 chain with large RSA keys that
> takes a long time to verify the signatures for. The solution to that
Right, that is what I had in mind. It is not a real threat for
non-online applications like GnuPG, thus the certificates are verified
as early as possible. Because GnuPG is usually configured to
automatically retrieve missing certificates (and CRL for all of them),
the network access is usually the bottleneck.
I once had the plan to write some universal chain validation code but it
turned out that the requirements are all to different and thus such code
would be cluttered with all kinds of hook to allow retrieving of missing
certificates, query the user, check policies and soon. So I ended up
with slightly different validation code in GnuPG (gpgsm) and dirmngr.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
- Re: The _gnutls_x509_verify_certificate fix, (continued)
Re: The _gnutls_x509_verify_certificate fix, Sam Varshavchik, 2008/11/10
trusted intermediate CAs [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
Re: trusted intermediate CAs, Simon Josefsson, 2008/11/12
Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/12
Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/13