[Telepathy] Certificate verification in empathy

Peter Saint-Andre stpeter at stpeter.im
Tue Dec 7 14:39:44 PST 2010

On 12/7/10 2:42 PM, Stef Walter wrote:
> On 2010-12-06 21:46, Peter Saint-Andre wrote:
>> On 12/6/10 8:23 PM, Stef Walter wrote:
>>>  * Lookup untrusted assertions for CRLs.
>> What about OCSP?
> I'll have to think about that more. I haven't planned anything concrete
> for OSCP yet.
>>> Interested in any comments or insight.
>> I've written a whole spec about just the domain name aspect of
>> certificate validation, which should "soon" be published as an RFC:
>> http://tools.ietf.org/html/draft-saintandre-tls-server-id-check
>> You might want to have a look at that, along with some of the refernced
>> specs (which provide more details about other aspects).
> Interesting. I'll look it over.
> I notice you use the terminology 'pinned certificates'. Maybe we should
> use that terminology as well. Currently I've been saying 'certificate
> exceptions' but that's kind of ambiguous.

Jeff Hodges and I borrowed that terminology from the W3C, although it
might predate their work. It seems to be fairly common.

> In your opinion does the 'pinning' of a certificate override all other
> verification, or merely the identity check?

Only the identity check. You still check the certification path,
revocation status, etc.


Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6105 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freedesktop.org/archives/telepathy/attachments/20101207/2675add4/attachment.bin>

More information about the telepathy mailing list