On 12/6/10 8:23 PM, Stef Walter wrote: > Hi all! > > I've been working on updating the certificate verification support in > empathy [1]. The work isn't completely finished and tested yet (I've run > into some build issues with gtk+3), but I figured I'd give a heads up on > these commits.
I'm happy to see folks paying attention to certificate validation. > The work is on the trust-assertions branch [2] on my empathy > git.collabora.co.uk repository. > > This stuff is based on the trust assertion research I've been working on > [3]. > > The following has changed: > > * Storing certificate exceptions for when a user clicks > "Remember this choice for future connections" > - These certificate exceptions are per host, and not added > as a certificate authority as before. It's scary that you were pinning certs on a per-CA basis before, but at least you've plugged that whole. :) > * Looking up certificate anchors (trust roots) via PKCS#11 > - Any certificate authority present there can be used. > > * Building of certificate chains by looking up certificates > via PKCS#11. > - If the server doesn't send a complete certificate chain > then the certificates are loaded locally (if present). > > empathy uses libgcr for these lookups, which uses PKCS#11 to lookup the > various trust anchors and certificate exceptions in PKCS#11 modules. The > relevant PKCS#11 modules are provided by gnome-keyring. > > gnome-keyring trust-store [4] branch is necessary to make all this work. > > What's missing: > > * Need to do the various PKCS#11 lookups asynchronously so as > not to block UI being displayed by empathy-auth-client. > > * Lookup untrusted assertions for CRLs. What about OCSP? > Interested in any comments or insight. I've written a whole spec about just the domain name aspect of certificate validation, which should "soon" be published as an RFC: http://tools.ietf.org/html/draft-saintandre-tls-server-id-check You might want to have a look at that, along with some of the refernced specs (which provide more details about other aspects). Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ telepathy mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/telepathy
