Dear list,
I hope this is not too off-topic, but I guess those most well suited for
the task can be found at this list.
I recently started working on a python3 library[1] to support the
implementation of DANE in python3 based applications. I am looking for
some support in form of a second or third pair of eyes. As this is a
security sensitive topic, I would be glad if someone took the time to
look over the approx. 600 lines of python code or the user interface
documentation.
To make it clear what the scope of the library is: It is not a
validating resolver; that is expected to be handled by the application.
it is not a TLS stack or bound to a specific TLS stack. It provides
parsing and hashing of certificates (via the pyasn1 package), as well as
functions to validate a chain of certificates (provided by the
application) used for TLS against a TLSA RRset (provided by the
application) together with the information whether PKIX validation
succeeded (also provided by the application). For PKIX validation, it
provides a facility to extract and validate trust anchors from TLSA RRsets.
I would like a general review (or any kind of feedback for that matter),
but I also have a specific question: I am unsure about the
implementation of the "CA constraint" usage. Is it correct to allow a
"CA constraint" record to enable the use of an otherwise untrusted (but
not invalid, e.g. expired) CA certificate?
Please also take a look at the documentation (for your convenience also
available online at [2]), as it describes the workflow and interface for
developers using the library, which has impact on the achieved security.
If anyone wants to review or take a quick look to see whether I’m doing
the right thing, I would be happy if any issues or feedback to be
reported to me either off-list to this email address, in the github
bugtracker, or on-list if that is considered sufficiently on-topic for
the list. As the library has been published like just now, I assume that
noone has put trust into it yet, so security critical bugs do not need
to be handled privately. If you want to do that nevertheless, use the
GPG key found in the repository (not attaching as it is quite large).
The fingerprint is:
Key fingerprint = AA5A 78FF 508D 8CF4 F355 F682 E5ED E5AC 679E 300F
thanks for your attention,
Jonas Wielicki
[1]: https://github.com/horazont/python3-dane/
[2]: https://docs.zombofant.net/python3-dane/devel/
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
