|
From: | Nikos Mavrogiannopoulos |
Subject: | Re: issues with OpenPGP certificate verification |
Date: | Mon, 21 Apr 2008 21:34:35 +0300 |
User-agent: | Thunderbird 2.0.0.12 (X11/20080227) |
Daniel Kahn Gillmor wrote:
Hey Folks-- I just opened a couple tickets concerning what appear to be serious problems with GnuTLS's OpenPGP certificate verification: * gnutls-cli continues connection when certificate User ID does not match hostname (even without --insecure): http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/31 This is equivalent to accepting a valid TLS certificate from https://evil.com/ even though the connection was made to https://good.com/
Currently gnutls-cli prints: # The hostname in the key does NOT match 'goodsite'.However it seems that gnutls-cli is not any more a debugging tool. So it is a valid request to fail if the hostname doesn't match. (This also doesn't happen in the X.509 certificate case)... Simon could there be any issue with this change and gnus that use it?
* gnutls will accept an unsigned UserID as a hostname match as long as some signed UserID exists: http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/32 This appears to be a problem with the way that the library offers information about the UserIDs in the OpenPGP certificates. Since each UserID in an OpenPGP cert can be signed by 0 or more keys (other than the primary key), there needs to be a way to check the validity of specific UserIDs, not just the certificate as a whole.
This is a current limitation of the API. If you have some suggestion on a verification function, I'd be glad to hear it. I'd be even more glad if you offered a patch for it, since it seems my time is quite limited lately.
regards, Nikos
[Prev in Thread] | Current Thread | [Next in Thread] |