issues with OpenPGP certificate verification

Daniel Kahn Gillmor at
Mon Apr 21 21:13:44 CEST 2008

Thanks for the quick feedback, Nikos.

On Mon 2008-04-21 14:34:35 -0400, Nikos Mavrogiannopoulos wrote:

> Daniel Kahn Gillmor wrote:
> Currently gnutls-cli prints:
>  # The hostname in the key does NOT match 'goodsite'.

yup.  But without --insecure, the appropriate step would be to
terminate the connection, or else you leave the client open to an
unexpected MITM attack.

> However it seems that gnutls-cli is not any more a debugging
> tool. So it is a valid request to fail if the hostname doesn't
> match. (This also doesn't happen in the X.509 certificate case)...

Yikes!  i hadn't tested the X.509 case, sorry.

> Simon could there be any issue with this change and gnus that use
> it?

I'm a gnus user, and hadn't realized that such a spoof wouldn't be
caught by gnutls-cli.  I'd certainly prefer gnus to fail on a
hostname/certificate mismatch.

> This is a current limitation of the API. If you have some suggestion
> on a verification function, I'd be glad to hear it. I'd be even more
> glad if you offered a patch for it, since it seems my time is quite
> limited lately.

If only we could unlimit all our times!  I'll do what i can.

I'm going to propose a snippet of a .h file on the ticket, and if that
seems acceptable to you, then i'll go ahead and try to implement it.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20080421/46f034bd/attachment.pgp>

More information about the Gnutls-devel mailing list