Re: RFC: Handling of certificates in Debian

To: debian-devel@lists.debian.org
Subject: Re: RFC: Handling of certificates in Debian
From: Andrew McDonald <andrew@mcdonald.org.uk>
Date: Fri, 30 Aug 2002 18:58:00 +0100
Message-id: <[🔎] 20020830175717.GB19306@mcdonald.org.uk>
In-reply-to: <[🔎] 20020829223936.GA12632@khazad-dum>
References: <[🔎] 20020830001131.A15775@stargate.galaxy> <[🔎] 20020829223936.GA12632@khazad-dum>

On Fri, Aug 30, 2002 at 12:40:11AM +0200,
Henrique de Moraes Holschuh wrote:
> 
> Right now, every TLS-enabled package tries to screw it up in new and
> never-before-tried ways.

One commonly missing feature is that the certificate should contain a
subjectAltName extension of type dNSName containing the hostname of the
machine (or, at least, put the hostname in the Common Name). See
RFC2818 and RFC2595.

Should a "recommended contents for X.509 certificates for TLS" be added
to Debian Policy?

On a similar subject, there seem to be more than a few applications
that have had "SSL/TLS support" added, but don't do any hostname
checking against the certificate - leaving you open to
man-in-the-middle attacks.

Andrew
-- 
Andrew McDonald
E-mail: andrew@mcdonald.org.uk
http://www.mcdonald.org.uk/andrew/

Reply to:

Follow-Ups:
- Re: RFC: Handling of certificates in Debian
  - From: Neil Spring <nspring@cs.washington.edu>

References:
- RFC: Handling of certificates in Debian
  - From: Torsten Landschoff <torsten@debian.org>
- Re: RFC: Handling of certificates in Debian
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: dpkg bug #156463: second opinions?
Next by Date: Re: Large file support?
Previous by thread: Re: RFC: Handling of certificates in Debian
Next by thread: Re: RFC: Handling of certificates in Debian
Index(es):
- Date
- Thread