<noloa...@gmail.com> wrote:
> On Sat, Jul 7, 2012 at 4:02 PM,  <pro...@secure-mail.biz> wrote:
> > <noloa...@gmail.com> wrote:
> >> You pin a certificate by whitelisting expected server certificates
> >> (possibly thumbprints).
> >
> > [SNIP]
> > So my original question was how do I get wget to verify the torproject.org
> > fingerprint [4] without depending on root CA's? The only possible solution
> > I saw was downloading the torproject.org SSL public key, run a local
> CA,
> > sign the certificate and run wget with the --ca-certificate switch.
> That's why
> > I posted the question "Sign public key without having CSR or private
> key?".
> >
> > If there are any suggestions for this situation I am all ears.
> Come to think of it, you could use OpenSSL's s_client to do the
> pinning, and then use wget if everything is OK. Its does set up a
> small breeding ground for a TOCTOU
> (http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf),
> but I believe the risk is small.

Since the implementation will be Open Source it were possible for an adversary 
to take advantage of TOCTOU, i.e. not tamper with s_client traffic but tamper 
with wget traffic.


powered by Secure-Mail.biz - anonymous and secure e-mail accounts.

OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to