CRL checking in dirmngr (Was: Re: [PATCH 2/3] dirmngr: add system CAs if no hkp-cacert is given)

Sat Nov 19 16:42:12 CET 2016

On 11/18/2016 06:47 AM, Daniel Kahn Gillmor wrote:
> On Sat 2016-11-05 07:52:07 +0900, Kristian Fiskerstrand wrote:
>> Since dirmngr already has CRL checking capabilities, at least OneCRL
>> checking is likely a good idea to implement. I'd also be nice if CRL is
>> checked for specific CA, e.g in the case of
>> https://sks-keyservers.net/ca/crl.pem for hkps.pool.sks-keyservers.net
> 
> Kristian, do you have a patch for this?  Now that the sks-keyservers

No, I haven't done anything wrt this

> pool CA is being shipped and used automatically, this seems like an
> important step.

I'm not entirely sure if it is correct to do it in downstream app to
begin with, but maybe in the TLS provider (in this case mostlly gnutls),
it should be the library's responsibility to provide expected security
level. If the system root store is expected to be used it needs to have
additional checks these days, and a fix would affect more apps.

> 
> how frequently do you think it should be checked?  What if there were a
> policy to refresh it infrequently?  without creating something that
> "phones home", we could have a simple policy like:

Can likely use the CRL expiration as a baseline, if a test was actually
implemented I'd change this to a shorter duration, probably 1 month or
so. Checking more than once a week is likely not necessary, so somewhere
between 1w and 1m would be my suggestion, but ymmw.
> 
>  * if use-tor is enabled, and
>  * if the list of configured keyservers includes
>    hkps.pool.sks-keyservers.net, and
>  * the CRL "Next at" update check is expired
> 
> then refresh it?

Sounds reasonable for this particular case (and this would fit in
downstream app as it is special use case, so it is reasonable to work on
it).

I'm actually more curious about [OneCRL] not being checked for the rest
of the root store/system CAs at this point.

References:
[OneCRL] json variant available at
https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"A ship is safe in harbour, but that's not what ships are for"
(Will Shedd)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161119/d220df3a/attachment-0001.sig>