[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues with OpenPGP certificate verification

From: Daniel Kahn Gillmor
Subject: Re: issues with OpenPGP certificate verification
Date: Mon, 21 Apr 2008 15:13:44 -0400
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux)

Thanks for the quick feedback, Nikos.

On Mon 2008-04-21 14:34:35 -0400, Nikos Mavrogiannopoulos wrote:

> Daniel Kahn Gillmor wrote:
> Currently gnutls-cli prints:
>  # The hostname in the key does NOT match 'goodsite'.

yup.  But without --insecure, the appropriate step would be to
terminate the connection, or else you leave the client open to an
unexpected MITM attack.

> However it seems that gnutls-cli is not any more a debugging
> tool. So it is a valid request to fail if the hostname doesn't
> match. (This also doesn't happen in the X.509 certificate case)...

Yikes!  i hadn't tested the X.509 case, sorry.

> Simon could there be any issue with this change and gnus that use
> it?

I'm a gnus user, and hadn't realized that such a spoof wouldn't be
caught by gnutls-cli.  I'd certainly prefer gnus to fail on a
hostname/certificate mismatch.

> This is a current limitation of the API. If you have some suggestion
> on a verification function, I'd be glad to hear it. I'd be even more
> glad if you offered a patch for it, since it seems my time is quite
> limited lately.

If only we could unlimit all our times!  I'll do what i can.

I'm going to propose a snippet of a .h file on the ticket, and if that
seems acceptable to you, then i'll go ahead and try to implement it.



Attachment: pgpIaar8sgHtN.pgp
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]