[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How does GnuTLS handle the known-bad Debian keys?
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: How does GnuTLS handle the known-bad Debian keys? |
Date: |
Mon, 22 Aug 2011 20:52:05 +0200 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11 |
On 08/22/2011 03:01 AM, Chris Palmer wrote:
> I can't seem to find any key-blacklist-checking code in GnuTLS.
> Perhaps I'm not looking in the right places; I am very new to this
> codebase.
> GnuTLS should use such a blacklist, either built-in or in an external
> package, because the fundamental guarantee of the library is to help
> applications establish secure connections. Connections authenticated
> with the weak Debian keys simply cannot provide that guarantee. This
> is one of those (hopefully rare) cases in which policy concerns
> impinge on what should be a pure mechanism.
> From a utilitarian or pragmatic viewpoint, adding blacklist support
> in the library will help the most people with the least effort, as
> compared to e.g. having each individual application handle
> blacklisting known-bad keys. In fact, the latter is just not going to
> happen, and isn't happening now.
> I have a trivial bit of portable C code that searches a blacklist of
> known-bad key fingerprints. I'll send it along if you want it, but
> first I thought I'd gauge people's interest. Or maybe you'll point me
> to where the code already does handle this. :)
We do not check for the debian keys. If a patch is provided we can
consider for inclusion.
regards,
Nikos