[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Network security manager

From: Ted Zlatanov
Subject: Re: Network security manager
Date: Tue, 18 Nov 2014 23:31:10 -0500
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

On Tue, 18 Nov 2014 16:29:30 +0100 Lars Magne Ingebrigtsen <address@hidden> 

LMI> Ted Zlatanov <address@hidden> writes:
>> Also, would you like to integrate your TOFU patch with the new nsm branch?

LMI> The NSM does TOFU.  No patch necessary.

What do you think about the verification and TOFU implementation in
gnutls-cli? Please see
https://gitorious.org/gnutls/gnutls/raw/master:src/cli.c inside
cert_verify_callback() for the details.

* uses SSH-style gnutls_store_pubkey() and gnutls_verify_stored_pubkey()
  to DTRT and pins the public key rather than the certificate
  fingerprint. The pub keys are stored by default in a way that lets the
  user look them up by hostname, but we can customize that. And it's
  mostly handled by GnuTLS internals as far as pubkey extraction and

* does DANE auth (although I don't know the details on DANE, the
  client implementation looks reasonable and Toke suggested it)

* checks OCSP for revocations using cert_verify_ocsp() in the same cli.c


reply via email to

[Prev in Thread] Current Thread [Next in Thread]