[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues with OpenPGP certificate verification

From: Simon Josefsson
Subject: Re: issues with OpenPGP certificate verification
Date: Mon, 28 Apr 2008 20:03:33 +0200
User-agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.2 (gnu/linux)

Hi Daniel.  Thanks for reporting this.  I've modified them so that they
must be fixed before v2.4.  I haven't had time to look at them yet, but
I hope Nikos and you will be able to come up with something that solves
the problem.  I'll revisit this when I get closer to the release.


Daniel Kahn Gillmor <address@hidden> writes:

> Hey Folks--
> I just opened a couple tickets concerning what appear to be serious
> problems with GnuTLS's OpenPGP certificate verification:
>  * gnutls-cli continues connection when certificate User ID does not
>    match hostname (even without --insecure):
>    This is equivalent to accepting a valid TLS certificate from
> even though the connection was made to
>  * gnutls will accept an unsigned UserID as a hostname match as long
>    as some signed UserID exists:
>    This appears to be a problem with the way that the library offers
>    information about the UserIDs in the OpenPGP certificates.  Since
>    each UserID in an OpenPGP cert can be signed by 0 or more keys
>    (other than the primary key), there needs to be a way to check the
>    validity of specific UserIDs, not just the certificate as a whole.
> As usual, if you want more details, just post to the tickets, and i'll
> provide whatever help i can.
> I'm excited to see the library offering OpenPGP features for TLS, but
> these problems are significant security concerns.  i want to make sure
> that the first major implementation of this extension is secure!
> Thanks for all the work on this,
>        --dkg
> _______________________________________________
> Gnutls-devel mailing list
> address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]