[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

issues with OpenPGP certificate verification

From: Daniel Kahn Gillmor
Subject: issues with OpenPGP certificate verification
Date: Mon, 21 Apr 2008 11:30:57 -0400
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux)

Hey Folks--

I just opened a couple tickets concerning what appear to be serious
problems with GnuTLS's OpenPGP certificate verification:

 * gnutls-cli continues connection when certificate User ID does not
   match hostname (even without --insecure):

   This is equivalent to accepting a valid TLS certificate from even though the connection was made to

 * gnutls will accept an unsigned UserID as a hostname match as long
   as some signed UserID exists:

   This appears to be a problem with the way that the library offers
   information about the UserIDs in the OpenPGP certificates.  Since
   each UserID in an OpenPGP cert can be signed by 0 or more keys
   (other than the primary key), there needs to be a way to check the
   validity of specific UserIDs, not just the certificate as a whole.

As usual, if you want more details, just post to the tickets, and i'll
provide whatever help i can.

I'm excited to see the library offering OpenPGP features for TLS, but
these problems are significant security concerns.  i want to make sure
that the first major implementation of this extension is secure!

Thanks for all the work on this,


Attachment: pgpkKDbjK2XIk.pgp
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]