[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How does GnuTLS handle the known-bad Debian keys?

From: Nikos Mavrogiannopoulos
Subject: Re: How does GnuTLS handle the known-bad Debian keys?
Date: Mon, 22 Aug 2011 20:52:05 +0200
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20110617 Thunderbird/3.1.11

On 08/22/2011 03:01 AM, Chris Palmer wrote:
> I can't seem to find any key-blacklist-checking code in GnuTLS.
> Perhaps I'm not looking in the right places; I am very new to this
> codebase.
> GnuTLS should use such a blacklist, either built-in or in an external
> package, because the fundamental guarantee of the library is to help
> applications establish secure connections. Connections authenticated
> with the weak Debian keys simply cannot provide that guarantee. This
> is one of those (hopefully rare) cases in which policy concerns
> impinge on what should be a pure mechanism.
> From a utilitarian or pragmatic viewpoint, adding blacklist support
> in the library will help the most people with the least effort, as
> compared to e.g. having each individual application handle
> blacklisting known-bad keys. In fact, the latter is just not going to
> happen, and isn't happening now.
> I have a trivial bit of portable C code that searches a blacklist of
> known-bad key fingerprints. I'll send it along if you want it, but
> first I thought I'd gauge people's interest. Or maybe you'll point me
> to where the code already does handle this. :)

We do not check for the debian keys. If a patch is provided we can
consider for inclusion.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]