supporting out-of-process certificate validation [was: Re: The _gnutls_x509_verify_certificate fix]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Nov 11 22:31:13 CET 2008


On Tue 2008-11-11 10:51:45 -0500, Simon Josefsson wrote:

> Generally, I don't think X.509 validation belongs in the same
> process as a TLS client or server -- it is complex and mistakes will
> happen, it is better to put all X.509 handling (including private
> key handling) in a separate process.

This sounds like a good thing to me.  Do we have a clear API or
inter-process protocol for these functions?

I quite like (and use daily) OpenSSH's ssh-agent model for
out-of-process handling of private keys [0].  I'd love to see that
used (or extended if the data types are incompatible) to be able to
work with TLS connections.  Then a single backend agent could be used
for both SSH and TLS connections.

SSH does *not* have any built-in PKI for certificate verification or
hooks of this sort, though X.509 certs are supported by a set of
third-party patches [1].

However, OpenPGP certificates *are* supported in external processes
using native OpenSSH hooks by the monkeysphere [2].  The hooks the
Monkeysphere uses weren't designed with key management in mind,
though, and could probably be improved.  As part of the Monkeysphere
team, i'd love to see a spec for how these hooks for external
certificate validation *should* look, and would be interested in
implementing them.  If we could frame them as extensions of the
OpenSSH agent protocol, that would be additional gravy.

I'd be very interested in helping to flesh out what communications
primitives this kind of a spec should involve, particularly if it
allows people to substitute different validation models depending on
personal preference, and to share validation models across
applications.

If anyone else is working on such a spec, i'd love to hear about it.

         --dkg

[0] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.agent?rev=HEAD;content-type=text%2Fplain
[1] http://www.roumenpetrov.info/openssh/
[2] http://web.monkeysphere.info/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20081111/df28ffc9/attachment.pgp>


More information about the Gnutls-devel mailing list