[Telepathy] Certificate verification in empathy

Peter Saint-Andre stpeter at stpeter.im
Mon Dec 6 19:46:31 PST 2010 

On 12/6/10 8:23 PM, Stef Walter wrote:
> Hi all!
> 
> I've been working on updating the certificate verification support in
> empathy [1]. The work isn't completely finished and tested yet (I've run
> into some build issues with gtk+3), but I figured I'd give a heads up on
> these commits.

I'm happy to see folks paying attention to certificate validation.

> The work is on the trust-assertions branch [2] on my empathy
> git.collabora.co.uk repository.
> 
> This stuff is based on the trust assertion research I've been working on
> [3].
> 
> The following has changed:
> 
>  * Storing certificate exceptions for when a user clicks
>    "Remember this choice for future connections"
>    - These certificate exceptions are per host, and not added
>      as a certificate authority as before.

It's scary that you were pinning certs on a per-CA basis before, but at
least you've plugged that whole. :)

>  * Looking up certificate anchors (trust roots) via PKCS#11
>    - Any certificate authority present there can be used.
> 
>  * Building of certificate chains by looking up certificates
>    via PKCS#11.
>    - If the server doesn't send a complete certificate chain
>      then the certificates are loaded locally (if present).
> 
> empathy uses libgcr for these lookups, which uses PKCS#11 to lookup the
> various trust anchors and certificate exceptions in PKCS#11 modules. The
> relevant PKCS#11 modules are provided by gnome-keyring.
> 
> gnome-keyring trust-store [4] branch is necessary to make all this work.
> 
> What's missing:
> 
>  * Need to do the various PKCS#11 lookups asynchronously so as
>    not to block UI being displayed by empathy-auth-client.
> 
>  * Lookup untrusted assertions for CRLs.

What about OCSP?

> Interested in any comments or insight.

I've written a whole spec about just the domain name aspect of
certificate validation, which should "soon" be published as an RFC:

http://tools.ietf.org/html/draft-saintandre-tls-server-id-check

You might want to have a look at that, along with some of the refernced
specs (which provide more details about other aspects).

Peter

-- 
Peter Saint-Andre
https://stpeter.im/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6105 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freedesktop.org/archives/telepathy/attachments/20101206/ea2899e4/attachment.bin>

More information about the telepathy mailing list