supporting out-of-process certificate validation

Simon Josefsson simon at josefsson.org
Wed Nov 12 10:13:02 CET 2008


Werner Koch <wk at gnupg.org> writes:

> On Wed, 12 Nov 2008 09:27, simon at josefsson.org said:
>
>> I think we can share many ideas and even code from GnuPG 2.x, so it
>> would be useful if people familiar with that code helped us here.  (Hi
>
> For a test you may use 
>
>   $ dirmngr-client --validate y.crt
>   dirmngr-client: certificate is valid
>
>   $ dirmngr-client --validate x.crt
>   dirmngr-client: validation of certificate failed: Certificate expired
>
> This is a very simple tool which connects to the dirmngr and asks it to
> validate a certificate by using dirmngr's own validation code.  It is
> actually a debugging fature for the validation code.  Using the dirmngr
> daemon has the advantage that it will cache certificates and validation
> results and try to get missing certificates from other places.

Great.  However, you mentioned that it wasn't designed to protect
against DoS scenarios?  I think a GnuTLS validation backend needs that.

I'm not sure exactly what the DoS attacks are here.  The obvious one is
when the attacker sends a long X.509 chain with large RSA keys that
takes a long time to verify the signatures for.  The solution to that
problem is to verify signatures from your trusted certificates and down,
not the other way around.  You can still build the chain path starting
with the end entity certificate though, if you don't want to alter the
chain building algorithm.  Are there other DoS considerations?

Still, I think using the GnuPG 2.x tools for this will save us much code
duplication and better overall system harmony in the end.

/Simon





More information about the Gnutls-devel mailing list