<div dir="ltr"><br><div class="gmail_extra">Hi Daniel, Hi everybody<span class=""></span><br><br></div><div class="gmail_extra">Thanks for your answer,<br><span id="result_box" class="" lang="en"><span class=""><br>On reflecting on</span> <span class="">the points</span> <span class="">that you had</span> <span class="">given me</span><span class="">, I feel that</span> <span class="">I need</span> <span class="">to learn more about the problem, I need to understand</span></span> what is (are) the problem(s) with debian PKI ? and what is the aim of such project (improving debian PKI) ? <br>
</div><div class="gmail_extra">why we need to share a default source for retrieving system certificate anchors and black list information ? to interrogate SSL/TLS sockets ? and how these process can prevent against fake certificate / increase security ?<br>
</div><div class="gmail_extra">what are the risks with the actual configuration ?<br><br></div><div class="gmail_extra">Any comments, <span id="result_box" class="" lang="en"><span class="">explanations, </span></span><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class="">any reference to docs</span></span> are welcome.<br>
<br></span></span></div><div class="gmail_extra"><span id="result_box" class="" lang="en"><span class="">Thanks in advance,<br></span></span></div><div class="gmail_extra"><span id="result_box" class="" lang="en"><span class="">Regards.<br>
<br></span></span></div><div class="gmail_extra"><span id="result_box" class="" lang="en"><span class="">Sami<br></span></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 4, 2013 at 9:59 PM, Daniel Pocock <span dir="ltr"><<a href="mailto:daniel@pocock.com.au" target="_blank">daniel@pocock.com.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On 03/06/13 12:50, Tabibel Sami wrote:<br>
> Hi Daniel,<br>
> I have looked to the links you given me, and I will be interested by<br>
> the following Ideas:<br>
> * Implementing a library to do CRL/OCSP/blacklist checking and make<br>
> applications use it<br>
> * Implementing a tool that interrogate all open sockets that appear to<br>
> support TLS/SSL and report problems<br>
<br>
You are referring to sockets in the listening state, or all active sockets?<br>
<br>
> * tool to monitoring / review of sensitive directories and report on changes<br>
><br>
> but I do not have a concrete idea about the work to be done and so I need your<br>
> advice to choose a topic.<br>
><br>
<br>
You would probably be able to use a few approaches to discover certs on<br>
the filesystem:<br>
<br>
- inotify would provide a useful way to discover when programs access<br>
known certificate files<br>
<br>
- PEM files have some distinctive features. You can find them in<br>
various ways:<br>
a) they are usually not very big (less than 10kb)<br>
b) they contain certain patterns (e.g. beginning with ---)<br>
<br>
You could also look at packages such as ssl-cert-check:<br>
<a href="http://packages.debian.org/sid/ssl-cert-check" target="_blank">http://packages.debian.org/sid/ssl-cert-check</a><br>
<br>
to find interesting ideas.<br>
<br>
As a way forward, I would like to continue this discussion on one of the<br>
mailing lists. Could you subscribe to pkg-auth and reply to this email<br>
through the list? Then we might get some collaboration from other<br>
members of the Debian community.<br>
<br>
<a href="https://lists.alioth.debian.org/mailman/listinfo/pkg-auth-maintainers" target="_blank">https://lists.alioth.debian.org/mailman/listinfo/pkg-auth-maintainers</a><br>
<br>
Regards,<br>
<br>
Daniel<br>
<br>
</blockquote></div><br></div></div>