[Telepathy] Certificate verification in empathy
Stef Walter
stefw at collabora.co.uk
Tue Dec 7 13:42:06 PST 2010
On 2010-12-06 21:46, Peter Saint-Andre wrote:
> On 12/6/10 8:23 PM, Stef Walter wrote:
>> * Lookup untrusted assertions for CRLs.
>
> What about OCSP?
I'll have to think about that more. I haven't planned anything concrete
for OSCP yet.
>> Interested in any comments or insight.
>
> I've written a whole spec about just the domain name aspect of
> certificate validation, which should "soon" be published as an RFC:
>
> http://tools.ietf.org/html/draft-saintandre-tls-server-id-check
>
> You might want to have a look at that, along with some of the refernced
> specs (which provide more details about other aspects).
Interesting. I'll look it over.
I notice you use the terminology 'pinned certificates'. Maybe we should
use that terminology as well. Currently I've been saying 'certificate
exceptions' but that's kind of ambiguous.
In your opinion does the 'pinning' of a certificate override all other
verification, or merely the identity check?
Cheers,
Stef
More information about the telepathy
mailing list