supporting out-of-process certificate validation

Werner Koch wk at
Wed Nov 12 11:52:08 CET 2008

On Wed, 12 Nov 2008 10:13, simon at said:

> I'm not sure exactly what the DoS attacks are here.  The obvious one is
> when the attacker sends a long X.509 chain with large RSA keys that
> takes a long time to verify the signatures for.  The solution to that

Right, that is what I had in mind.  It is not a real threat for
non-online applications like GnuPG, thus the certificates are verified
as early as possible.  Because GnuPG is usually configured to
automatically retrieve missing certificates (and CRL for all of them),
the network access is usually the bottleneck.

I once had the plan to write some universal chain validation code but it
turned out that the requirements are all to different and thus such code
would be cluttered with all kinds of hook to allow retrieving of missing
certificates, query the user, check policies and soon.  So I ended up
with slightly different validation code in GnuPG (gpgsm) and dirmngr.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnutls-devel mailing list