On 04/17/2014 03:23 PM, Nikos Mavrogiannopoulos wrote: > On Thu, 2014-04-17 at 14:44 -0400, Daniel Kahn Gillmor wrote:
>> I agree that this change in documentation would match the current
>> behavior. I'm wondering, though, whether we want to change the behavior
>> to match the documentation. Both --tofu and --dane say "in addition to
>> certificate authentication", but only --dane seems to accept standard
>> X.509 certificate authentication as well.
>> even using "gnutls-cli --ca-verification --tofu www.example.org" doesn't
>> use certificate verification.
>
> Actually it does, although it only prints the verification failure. It
> seems though that the certificate information is printed twice and thus
> the failure isn't easily seen.
hm, really? let me be more concrete than example.org. the following
connects cleanly for me, with no complaints about certificate validation:
gnutls-cli www.google.com
but if i connect using:
gnutls-cli --tofu www.google.com
then i do see the certificate validation remark ("Status: The
certificate is trusted.") but i am *also* prompted with the TOFU prompt.
If i say "no" on the TOFU prompt, the connection fails:
Host www.google.com (https) has never been contacted before.
Its certificate is valid for www.google.com.
Are you sure you want to trust it? (y/N): n
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
1 dkg@alice:~$
This seems like an odd combination, and *doesn't* match the behavior
when i use --dane.
it's also interesting to note the behavior when i use
--no-ca-verification without either --tofu or --dane: no cert check is
done at all, but the connection still goes through without a complaint.
this seems like "failing open", and it isn't what i'd have expected.
it seems to me like we've got three different possible ways to verify a
certificate:
* DANE
* X.509 CA verification (and OpenPGP CA Verification for RFC 6091)
* TOFU
each of these mechanisms can return "valid" or "not valid", right? (or
should we consider that TOFU could return "valid", "unknown", and "does
not match known key"?)
how should these mechanisms be combined in a principled and predictable way?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
