On Wed, Jul 16, 2003, Amar Desai wrote: > Hi All > I would like to know what are the security concerns if we provide a > functionality of downloading a CRL (in case where there is no crl in > specified direcotry or file) in the get_crl function using say wget? >
You should be careful that you don't download CRLs for unstrusted certificates. If you do there are several possible concerns: DOS attack. The CRL download could be made very slow, either by throttling the connection or including a huge CRL. Leaking information about the caller. If the CRL downloader is on a machine that isn't public then some details about it can be obtained (IP address etc). Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
