[Telepathy] Certificate verification in empathy

Peter Saint-Andre stpeter at stpeter.im
Tue Dec 7 14:54:28 PST 2010


On 12/7/10 3:48 PM, Stef Walter wrote:
> On 2010-12-07 16:39, Peter Saint-Andre wrote:
>> On 12/7/10 2:42 PM, Stef Walter wrote:
>>> In your opinion does the 'pinning' of a certificate override all other
>>> verification, or merely the identity check?
>>
>> Only the identity check. You still check the certification path,
>> revocation status, etc.
> 
> Okay, well then in this case we're doing something different.
> 
> The 'certificate exceptions' stored override all other checks. This is
> because their main use case is with regards to self-signed certificates.
> 
> So I imagine we should keep the terminology separate if 'pinning' a
> certificate already has a distinct meaning.

To be clear, a self-signed certificate isn't a fit subject for checking
the certificate path (there is none), the revocation status (there's no
one to revoke it), etc. In the spec I've pointed you to, we don't
discuss self-signed certificates at all (and that's by design). However,
I think you could use the term "pinning" with regard both to CA-issued
certs that trigger identity mismatches and to self-signed certs.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6105 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freedesktop.org/archives/telepathy/attachments/20101207/84b13716/attachment-0001.bin>


More information about the telepathy mailing list