[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
supporting out-of-process certificate validation [was: Re: The _gnutls_x
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
supporting out-of-process certificate validation [was: Re: The _gnutls_x509_verify_certificate fix] |
|
Date: |
Tue, 11 Nov 2008 16:31:13 -0500 |
|
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) |
On Tue 2008-11-11 10:51:45 -0500, Simon Josefsson wrote:
> Generally, I don't think X.509 validation belongs in the same
> process as a TLS client or server -- it is complex and mistakes will
> happen, it is better to put all X.509 handling (including private
> key handling) in a separate process.
This sounds like a good thing to me. Do we have a clear API or
inter-process protocol for these functions?
I quite like (and use daily) OpenSSH's ssh-agent model for
out-of-process handling of private keys [0]. I'd love to see that
used (or extended if the data types are incompatible) to be able to
work with TLS connections. Then a single backend agent could be used
for both SSH and TLS connections.
SSH does *not* have any built-in PKI for certificate verification or
hooks of this sort, though X.509 certs are supported by a set of
third-party patches [1].
However, OpenPGP certificates *are* supported in external processes
using native OpenSSH hooks by the monkeysphere [2]. The hooks the
Monkeysphere uses weren't designed with key management in mind,
though, and could probably be improved. As part of the Monkeysphere
team, i'd love to see a spec for how these hooks for external
certificate validation *should* look, and would be interested in
implementing them. If we could frame them as extensions of the
OpenSSH agent protocol, that would be additional gravy.
I'd be very interested in helping to flesh out what communications
primitives this kind of a spec should involve, particularly if it
allows people to substitute different validation models depending on
personal preference, and to share validation models across
applications.
If anyone else is working on such a spec, i'd love to hear about it.
--dkg
[0]
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.agent?rev=HEAD;content-type=text%2Fplain
[1] http://www.roumenpetrov.info/openssh/
[2] http://web.monkeysphere.info/
pgpv3enrUBtA_.pgp
Description: PGP signature
- Re: The _gnutls_x509_verify_certificate fix, (continued)
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Tomas Mraz, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/11
- Re: The _gnutls_x509_verify_certificate fix, Simon Josefsson, 2008/11/12
- Re: The _gnutls_x509_verify_certificate fix, Andreas Metzler, 2008/11/12
Re: The _gnutls_x509_verify_certificate fix, Sam Varshavchik, 2008/11/10
trusted intermediate CAs [was: Re: The _gnutls_x509_verify_certificate fix], Daniel Kahn Gillmor, 2008/11/11
Re: trusted intermediate CAs, Simon Josefsson, 2008/11/12
Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/12
Re: trusted intermediate CAs, Daniel Kahn Gillmor, 2008/11/12
Re: trusted intermediate CAs, Nikos Mavrogiannopoulos, 2008/11/13