[gnutls-devel] X.509 "Key Identifiers" in GnuTLS

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Mar 5 19:47:54 CET 2013


On 03/05/2013 01:40 PM, Peter Williams wrote:
> Think of it as vendor-value add - where no one will agree on its value. Often patent or “other” reasons are behind such inability to agree.

hm, i'm not inclined to think of this as something sinister.  there
actually *is* a documented "common method" recommendation.  It's GnuTLS
that is divergent from it.  Are you implying that GnuTLS has some sort
of patent or proprietary reason for its divergence?  That seems
implausible to me.

> For example, a hash value in the serial number of certs saved VeriSign from the md5 compromise, since it made it SO Much harder to predict a plaintext AND find a collision. To me it was elementary cryptanalysis; but try convincing generalists of it. Specialists in the know would accept the argument, but there would always be “specious” reasons why not to make it a standardized element. We all know what lay behind those specious reasons, now.

Again, i'm not sure what you're implying here.  I'm not talking about
the serial number, but rather the key identifiers.

If GnuTLS is doing something different from everyone else, and we have a
good reason for doing it different, shouldn't we be encouraging other
toolkits to at least offer their users the option of taking our improved
approach?

On the other hand, if GnuTLS has no reason for the divergence (e.g. if
it was an accident) then shouldn't we try to reduce divergence to
improve interoperability?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130305/7c7eaa47/attachment.pgp>


More information about the Gnutls-devel mailing list