[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues with OpenPGP certificate verification

From: Nikos Mavrogiannopoulos
Subject: Re: issues with OpenPGP certificate verification
Date: Mon, 21 Apr 2008 21:34:35 +0300
User-agent: Thunderbird (X11/20080227)

Daniel Kahn Gillmor wrote:
Hey Folks--

I just opened a couple tickets concerning what appear to be serious
problems with GnuTLS's OpenPGP certificate verification:

 * gnutls-cli continues connection when certificate User ID does not
   match hostname (even without --insecure):

   This is equivalent to accepting a valid TLS certificate from even though the connection was made to

Currently gnutls-cli prints:
 # The hostname in the key does NOT match 'goodsite'.

However it seems that gnutls-cli is not any more a debugging tool. So it is a valid request to fail if the hostname doesn't match. (This also doesn't happen in the X.509 certificate case)... Simon could there be any issue with this change and gnus that use it?

 * gnutls will accept an unsigned UserID as a hostname match as long
   as some signed UserID exists:

   This appears to be a problem with the way that the library offers
   information about the UserIDs in the OpenPGP certificates.  Since
   each UserID in an OpenPGP cert can be signed by 0 or more keys
   (other than the primary key), there needs to be a way to check the
   validity of specific UserIDs, not just the certificate as a whole.

This is a current limitation of the API. If you have some suggestion on a verification function, I'd be glad to hear it. I'd be even more glad if you offered a patch for it, since it seems my time is quite limited lately.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]