[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Test failure of ‘chainverify’
From: |
Daniel Kahn Gillmor |
Subject: |
Re: Test failure of ‘chainverify’ |
Date: |
Fri, 12 Mar 2010 11:38:41 -0500 |
User-agent: |
Mozilla-Thunderbird 2.0.0.22 (X11/20091109) |
On 03/12/2010 03:45 AM, Tomas Mraz wrote:
> I do not think
> that certificates which are directly on the trusted list should be
> rejected if they are expired or signed with a weak algorithm. There
> might be a slight argument for the expiry check because the expiration
> might happen behind the notice of the user who put it to the trusted
> list and arguably the expiration time signals that the
> private-key/certificate should not be used after the time.
I think that trusting listed certificates after their internally-stated
expiry could be a surprising experience for users (in a bad way).
Maybe we need a way for a user to communicate to the library that she
wants to trust a given certificate beyond its internal expiry?
> However for
> the weak algorithm check there is no reason at all because the signature
> of the certificate is not relevant if we trust the public-key of the
> certificate directly.
I agree that the type of digest algorithm used in the signature (whether
self-signed or not) is irrelevant for certificates in the trusted list.
However, ignoring weak digests does not mean we should ignore *all* weak
algorithm checks for these certificates. For example, if a 512-bit RSA
key would not be acceptable elsewhere in the chain, we should not accept
it in the trusted root list.
--dkg
signature.asc
Description: OpenPGP digital signature