Hi there, as it took me a while to figure this out, I’d like to share this.
One of my e-mail providers changed an IMAP certificate, and mail-notification warned me about the new certificate with an unknown fingerprint. Both certificates are issued by different CAs. Surprisingly, though, gnutls-cli with option --tofu did not complain at all (same for --strict-tofu). It turns out that both certificates contain the same public key. (Why would somebody do this?) As gnutls-cli stores only the public key in ~/.gnutls/known_hosts, but nothing about the certificate, it cannot detect any difference. I don’t see any security issue here, but I suggest to extend the documentation, in particular, the man page of gnutls-cli: For --tofu, currently “in addition to certificate authentication”: This should probably read “instead of certificate authentication.” Afterwards emphasize: “Note that public keys are recorded, not certificates.” For --strict-tofu: “certificate” needs to be replaced with “public key” twice. Alternatively, should ~/.gnutls/known_hosts also store the certificate’s fingerprint to detect such changes? Best wishes Jens _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
