[Telepathy] Certificate verification in empathy
Peter Saint-Andre
stpeter at stpeter.im
Tue Dec 7 14:39:44 PST 2010
On 12/7/10 2:42 PM, Stef Walter wrote:
> On 2010-12-06 21:46, Peter Saint-Andre wrote:
>> On 12/6/10 8:23 PM, Stef Walter wrote:
>>> * Lookup untrusted assertions for CRLs.
>>
>> What about OCSP?
>
> I'll have to think about that more. I haven't planned anything concrete
> for OSCP yet.
>
>>> Interested in any comments or insight.
>>
>> I've written a whole spec about just the domain name aspect of
>> certificate validation, which should "soon" be published as an RFC:
>>
>> http://tools.ietf.org/html/draft-saintandre-tls-server-id-check
>>
>> You might want to have a look at that, along with some of the refernced
>> specs (which provide more details about other aspects).
>
> Interesting. I'll look it over.
>
> I notice you use the terminology 'pinned certificates'. Maybe we should
> use that terminology as well. Currently I've been saying 'certificate
> exceptions' but that's kind of ambiguous.
Jeff Hodges and I borrowed that terminology from the W3C, although it
might predate their work. It seems to be fairly common.
> In your opinion does the 'pinning' of a certificate override all other
> verification, or merely the identity check?
Only the identity check. You still check the certification path,
revocation status, etc.
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6105 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freedesktop.org/archives/telepathy/attachments/20101207/2675add4/attachment.bin>
More information about the telepathy
mailing list