[Telepathy] Certificate verification in empathy
stpeter at stpeter.im
Tue Dec 7 14:39:44 PST 2010
On 12/7/10 2:42 PM, Stef Walter wrote:
> On 2010-12-06 21:46, Peter Saint-Andre wrote:
>> On 12/6/10 8:23 PM, Stef Walter wrote:
>>> * Lookup untrusted assertions for CRLs.
>> What about OCSP?
> I'll have to think about that more. I haven't planned anything concrete
> for OSCP yet.
>>> Interested in any comments or insight.
>> I've written a whole spec about just the domain name aspect of
>> certificate validation, which should "soon" be published as an RFC:
>> You might want to have a look at that, along with some of the refernced
>> specs (which provide more details about other aspects).
> Interesting. I'll look it over.
> I notice you use the terminology 'pinned certificates'. Maybe we should
> use that terminology as well. Currently I've been saying 'certificate
> exceptions' but that's kind of ambiguous.
Jeff Hodges and I borrowed that terminology from the W3C, although it
might predate their work. It seems to be fairly common.
> In your opinion does the 'pinning' of a certificate override all other
> verification, or merely the identity check?
Only the identity check. You still check the certification path,
revocation status, etc.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6105 bytes
Desc: S/MIME Cryptographic Signature
More information about the telepathy