Re: RFC: Handling of certificates in Debian

To: Andrew McDonald <andrew@mcdonald.org.uk>
Cc: Neil Spring <nspring@cs.washington.edu>, debian-devel@lists.debian.org
Subject: Re: RFC: Handling of certificates in Debian
From: Brian May <bam@debian.org>
Date: Sat, 31 Aug 2002 16:42:51 +1000
Message-id: <[🔎] 20020831064251.GC16442@snoopy.apana.org.au>
Mail-followup-to: Brian May <bam@debian.org>, Andrew McDonald <andrew@mcdonald.org.uk>, Neil Spring <nspring@cs.washington.edu>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20020830231803.GB19478@mcdonald.org.uk>
References: <[🔎] 20020830001131.A15775@stargate.galaxy> <[🔎] 20020829223936.GA12632@khazad-dum> <[🔎] 20020830175717.GB19306@mcdonald.org.uk> <[🔎] 20020830215708.GA10758@cs.washington.edu> <[🔎] 20020830231803.GB19478@mcdonald.org.uk>

On Sat, Aug 31, 2002 at 12:18:04AM +0100, Andrew McDonald wrote:
> Even the hostname check can be problematic - does the user really need
> to accept the certificate every time because the name doesn't match?

I think the issue is this: if no hostname check is done, how to you know
you really are authenticating the remote host by the certificate you
think you should be (say www.secure.org) and not another certificate
instead (say www.crackers.com)? You might think you are accessing
www.secure.org, but if you authenticated the remote host with
www.crackers.com, chances are you may not be.

Of course, if the user manually checks the certificate, there would be
no problems, but how many people will manually check?

(note that I really like this realiance on checking the hostname, for
instance it doesn't work properly with virtual name domains under https,
but it somehow seems to have become the defacto default, and we seem to
be stuck with it for now).

> (I've solved this for mutt by using a cache where I save the hostname
> against the certificate fingerprint, mozilla does something similar.)

I would imagine you would have to manually update this each time
a new certificate is issued (unless I am mistaken).
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: RFC: Handling of certificates in Debian
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- RFC: Handling of certificates in Debian
  - From: Torsten Landschoff <torsten@debian.org>
- Re: RFC: Handling of certificates in Debian
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: RFC: Handling of certificates in Debian
  - From: Andrew McDonald <andrew@mcdonald.org.uk>
- Re: RFC: Handling of certificates in Debian
  - From: Neil Spring <nspring@cs.washington.edu>
- Re: RFC: Handling of certificates in Debian
  - From: Andrew McDonald <andrew@mcdonald.org.uk>

Prev by Date: Re: Bug#158683: ITP: oggasm -- MP3 to Ogg converter
Next by Date: Re: Bug#158683: ITP: oggasm -- MP3 to Ogg converter
Previous by thread: Re: RFC: Handling of certificates in Debian
Next by thread: Re: RFC: Handling of certificates in Debian
Index(es):
- Date
- Thread