Bug#514807: a proposal for consideration for V1 CA certs in Etch (and Lenny?)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Feb 20 01:44:06 UTC 2009 

Thanks for the feedback, Simon.

On 02/19/2009 05:02 PM, Simon Josefsson wrote:
> Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
>> 3) default to having GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT be set
>
> This is essentially the (untested) patch I proposed earlier.
>
>> (this may mean that there is *no way* to turn this flag off --
>> hopefully people who know gnutls better than myself can say if this is
>> the case)
> 
> Applications can still call gnutls_certificate_set_verify_flags to
> override the default.

Good point.  I appreciate the clarification.

> While I was negative initially, I think there are some arguments for
> this solution: it only enables V1 CAs that the user has _explicitly_
> marked as trusted.  So the user could be informed through documentation
> that if he adds V1 CAs as a trusted certs, they may lead to the security
> problems with V1 certs.

My understanding is that the security problem is with adding V1
*end-entity* certificates to the trusted certificate list.  If you do
so, and we go with option 3, those EE certificates would be able to act
as certificate authorities because GnuTLS is unable to distinguish the
two classes of certificate.  But this doesn't indicate any problems with
adding V1 CA certs, only EE certs, no?  Are there other security
problems with V1 certificates for CAs?  I certainly don't understand all
the issues here as well as i wish i did.

I've added Nikos to the Cc list here in case he can clarify.

> I don't think we'll make this change upstream,
> the risks associated doesn't seem negligible and I think V1 certs should
> just go away.

I agree that V1 certs should just go away, if only to avoid this sort of
confusion.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20090219/e8d81ebc/attachment-0003.pgp

More information about the Pkg-gnutls-maint mailing list