[Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'
Daniel Kahn Gillmor
dkg-debian.org at fifthhorseman.net
Wed Apr 11 17:55:56 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed 2007-04-11 09:30:11 -0400, Simon Josefsson wrote:
> ludo at chbouib.org (Ludovic Courtès) writes:
>
>> if one of the key's names matches _exactly_ HOSTNAME. Since key
>> names are not supposed to be host names but rather RFC822 strings,
>> this is of little use.
>>
>> Perhaps it should rather check whether the email part of one of the key
>> names matches HOSTNAME?
>
> I'm not sure... it is pretty important that name checks are well
> defined. As I recall, there are no clear requirements on what key
> names should be in the standard, or is there?
RFC 2440 [0] says:
5.11. User ID Packet (Tag 13)
A User ID packet consists of data that is intended to represent the
name and email address of the key holder. By convention, it includes
an RFC 822 mail name, but there are no restrictions on its content.
The packet length in the header specifies the length of the user id.
If it is text, it is encoded in UTF-8.
I think this is the relevant section to what's under discussion here.
If there's a more relevant section, please point it out!
So i think it'd be OK to put whatever you want there, though there are
certainly circumstances where i wouldn't want to sign a key/uid
binding if the uid were just the hostname.
For example, if foo.example.com runs an LDAP service as a
non-privileged user (STARTTLS-enabled, of course), i'd prefer that the
uid on the key used was something like
ldap://foo.example.com/
and not just "foo.example.com". Otherwise, a compromised LDAP service
could masquerade as other services on the same machine.
I'm not sure that a URI is the right thing to put there, but some
indication of the service in particular is probably worth considering.
I haven't read the documentation for
gnutls_openpgp_key_check_hostname() yet, though.
--dkg
[0] http://www.ietf.org/rfc/rfc2440.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/>
iD8DBQFGHQUBiXTlFKVLY2URApMjAJkBwfPiv9A014e3Q3+qT4ZLMC5dRACgw2L9
KSfX9IHxmDYG4aaM2dkuByE=
=KdfG
-----END PGP SIGNATURE-----
More information about the Gnutls-help
mailing list