[gnutls-help] GnuTLS with TOFU verifies public keys, not certificates
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Apr 17 20:44:57 CEST 2014
On 04/17/2014 01:33 PM, Jens Lechtenboerger wrote:
> One of my e-mail providers changed an IMAP certificate, and
> mail-notification warned me about the new certificate with an
> unknown fingerprint. Both certificates are issued by different CAs.
> Surprisingly, though, gnutls-cli with option --tofu did not complain
> at all (same for --strict-tofu).
> It turns out that both certificates contain the same public key.
> (Why would somebody do this?)
presumably they did this because they have a key that they do not think
has been compromised, but their certificate expired.
> As gnutls-cli stores only the public key in ~/.gnutls/known_hosts,
> but nothing about the certificate, it cannot detect any difference.
> I don’t see any security issue here,
I agree that there is no security issue. Using TOFU *should* use the
public key, not the certificate; otherwise, it's guaranteed to fail when
the certificate expires, which seems kind of pointless for a
key-continuity-based approach like TOFU.
> but I suggest to extend the
> documentation, in particular, the man page of gnutls-cli:
> For --tofu, currently “in addition to certificate authentication”:
> This should probably read “instead of certificate authentication.”
I agree that this change in documentation would match the current
behavior. I'm wondering, though, whether we want to change the behavior
to match the documentation. Both --tofu and --dane say "in addition to
certificate authentication", but only --dane seems to accept standard
X.509 certificate authentication as well.
even using "gnutls-cli --ca-verification --tofu www.example.org" doesn't
use certificate verification.
> Afterwards emphasize: “Note that public keys are recorded, not
> For --strict-tofu: “certificate” needs to be replaced with “public
> key” twice.
The above changes seem reasonable to me.
> Alternatively, should ~/.gnutls/known_hosts also store the
> certificate’s fingerprint to detect such changes?
i don't think this is a good idea. what would the benefit be?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1010 bytes
Desc: OpenPGP digital signature
More information about the Gnutls-help