[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: supporting out-of-process certificate validation
From: |
Simon Josefsson |
Subject: |
Re: supporting out-of-process certificate validation |
Date: |
Wed, 12 Nov 2008 09:27:56 +0100 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux) |
Daniel Kahn Gillmor <address@hidden> writes:
> On Tue 2008-11-11 10:51:45 -0500, Simon Josefsson wrote:
>
>> Generally, I don't think X.509 validation belongs in the same
>> process as a TLS client or server -- it is complex and mistakes will
>> happen, it is better to put all X.509 handling (including private
>> key handling) in a separate process.
>
> This sounds like a good thing to me. Do we have a clear API or
> inter-process protocol for these functions?
This sounds like a good idea to flesh out on our wiki, I've created a
starting pointer:
http://redmine.josefsson.org/wiki/gnutls/GnuTLSExternalValidation
> I quite like (and use daily) OpenSSH's ssh-agent model for
> out-of-process handling of private keys [0]. I'd love to see that
> used (or extended if the data types are incompatible) to be able to
> work with TLS connections. Then a single backend agent could be used
> for both SSH and TLS connections.
I like this model too.
> I'd be very interested in helping to flesh out what communications
> primitives this kind of a spec should involve, particularly if it
> allows people to substitute different validation models depending on
> personal preference, and to share validation models across
> applications.
>
> If anyone else is working on such a spec, i'd love to hear about it.
Let's start discuss it.
I think we can share many ideas and even code from GnuPG 2.x, so it
would be useful if people familiar with that code helped us here. (Hi
Werner. :))
/Simon
- Re: The _gnutls_x509_verify_certificate fix, (continued)
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/12
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/12
Re: The _gnutls_x509_verify_certificate fix, Sam Varshavchik, 2008/11/10
trusted intermediate CAs [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
Re: trusted intermediate CAs, Simon Josefsson, 2008/11/12
Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/12
Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/13