gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues with OpenPGP certificate verification

From: Simon Josefsson
Subject: Re: issues with OpenPGP certificate verification
Date: Mon, 28 Apr 2008 20:01:45 +0200
User-agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.2 (gnu/linux) 
Nikos Mavrogiannopoulos <address@hidden> writes:

> Daniel Kahn Gillmor wrote:
>> Hey Folks--
>>
>> I just opened a couple tickets concerning what appear to be serious
>> problems with GnuTLS's OpenPGP certificate verification:
>>
>>  * gnutls-cli continues connection when certificate User ID does not
>>    match hostname (even without --insecure):
>>
>>      http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/31
>>
>>    This is equivalent to accepting a valid TLS certificate from
>>    https://evil.com/ even though the connection was made to
>>    https://good.com/
>
> Currently gnutls-cli prints:
>  # The hostname in the key does NOT match 'goodsite'.
>
> However it seems that gnutls-cli is not any more a debugging tool. So
> it is a valid request to fail if the hostname doesn't match. (This
> also doesn't happen in the X.509 certificate case)... Simon could
> there be any issue with this change and gnus that use it?

No, changing this would be good.  If it causes failures for some people,
it probably does that for a reason, and they should investigate it.

/Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]