Daniel Kahn Gillmor wrote: > Thanks for the feedback, Simon. > > On 02/19/2009 05:02 PM, Simon Josefsson wrote: >> Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: >>> 3) default to having GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT be set >> This is essentially the (untested) patch I proposed earlier. >> >>> (this may mean that there is *no way* to turn this flag off -- >>> hopefully people who know gnutls better than myself can say if this is >>> the case) >> Applications can still call gnutls_certificate_set_verify_flags to >> override the default. > > Good point. I appreciate the clarification. > >> While I was negative initially, I think there are some arguments for >> this solution: it only enables V1 CAs that the user has _explicitly_ >> marked as trusted. So the user could be informed through documentation >> that if he adds V1 CAs as a trusted certs, they may lead to the security >> problems with V1 certs. > > My understanding is that the security problem is with adding V1 > *end-entity* certificates to the trusted certificate list. If you do > so, and we go with option 3, those EE certificates would be able to act > as certificate authorities because GnuTLS is unable to distinguish the > two classes of certificate. But this doesn't indicate any problems with > adding V1 CA certs, only EE certs, no?
Indeed it affects end entity certs. I missed the discussion though I understand it is about V1 CAs and being disabled by default. To be honest although V1 certificates have been deprecated for more than a decade CAs still use the V1 format for their certificates (ca-certificates contains more than 10 of these). However allowing them by default will make applications that rely on adding end-entity certificates to the trusted certificate list insecure. Thus it might be better for applications to explicitly enable this flag if they do not use end-entity certificates there. regards, Nikos -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org