Re: RFC: Handling of certificates in Debian

To: Andrew McDonald <andrew@mcdonald.org.uk>
Cc: debian-devel@lists.debian.org
Subject: Re: RFC: Handling of certificates in Debian
From: Neil Spring <nspring@cs.washington.edu>
Date: Fri, 30 Aug 2002 14:57:12 -0700
Message-id: <[🔎] 20020830215708.GA10758@cs.washington.edu>
In-reply-to: <[🔎] 20020830175717.GB19306@mcdonald.org.uk>
References: <[🔎] 20020830001131.A15775@stargate.galaxy> <[🔎] 20020829223936.GA12632@khazad-dum> <[🔎] 20020830175717.GB19306@mcdonald.org.uk>

On Fri, Aug 30, 2002 at 06:58:00PM +0100, Andrew McDonald wrote:
> On a similar subject, there seem to be more than a few applications
> that have had "SSL/TLS support" added, but don't do any hostname
> checking against the certificate - leaving you open to
> man-in-the-middle attacks.

(speaking as an offender)

Why is it that TLS libraries don't handle a lot of this
simple validation on behalf of applications?

Why is it that the sample gnutls code doesn't seem to
include this check?

Can you report bugs against broken packages with patches?

It seems like you've contributed a lot of mutt-specific code
to handle certificate validation in the-right-way, but that
the procedure is both generally useful and error-prone so
should be centralized.

thanks,
-neil

Reply to:

Follow-Ups:
- Re: RFC: Handling of certificates in Debian
  - From: Andrew McDonald <andrew@mcdonald.org.uk>

References:
- RFC: Handling of certificates in Debian
  - From: Torsten Landschoff <torsten@debian.org>
- Re: RFC: Handling of certificates in Debian
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: RFC: Handling of certificates in Debian
  - From: Andrew McDonald <andrew@mcdonald.org.uk>

Prev by Date: Re: Work-needing packages report for Aug 30, 2002
Next by Date: Re: Packages.bz2, Sources.bz2, Contents-*.bz2, oh my
Previous by thread: Re: RFC: Handling of certificates in Debian
Next by thread: Re: RFC: Handling of certificates in Debian
Index(es):
- Date
- Thread