CRL checking in dirmngr (Was: Re: [PATCH 2/3] dirmngr: add system CAs if no hkp-cacert is given)
Kristian Fiskerstrand
kristian.fiskerstrand at sumptuouscapital.com
Fri Nov 4 23:52:07 CET 2016
On 10/31/2016 03:30 PM, Daniel Kahn Gillmor wrote:
> On Thu 2016-10-27 18:59:03 -0400, Kristian Fiskerstrand wrote:
>> On 10/28/2016 12:30 AM, Daniel Kahn Gillmor wrote:
>>> * dirmngr/dirmngr.c (http_session_new): if the user isn't talking to
>>> the HKPS pool, and they have not specified any hkp-cacert, then we
>>> should default to the system CAs, rather than nothing.
>>> * doc/dirmngr.texi: document choice of CAs.
>>
>> I'm a bit ambiguous about this change. In Gentoo we currently have the
>> use of a system CA behind a user-selectable use flag for hkps but even
>> so the set of provided CAs is originating mostly from Mozilla.
>>
>> As seen with the latest WoSign / StartCom issues, mozilla is not overly
>> concerned about third-party usage of the provided CA certificates, and
>> have more complex restrictions in place for NSS (e.g specific
>> notBeforeDate and OneCRL checking).
Since dirmngr already has CRL checking capabilities, at least OneCRL
checking is likely a good idea to implement. I'd also be nice if CRL is
checked for specific CA, e.g in the case of
https://sks-keyservers.net/ca/crl.pem for hkps.pool.sks-keyservers.net
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Nosce te ipsum!
Know thyself!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161104/81bde0c2/attachment.sig>
More information about the Gnupg-devel
mailing list