[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r34179 - trunk/subversion/libsvn_ra_serf

From: Justin Erenkrantz <justin_at_erenkrantz.com>
Date: Fri, 14 Nov 2008 10:01:54 -0500

On Fri, Nov 14, 2008 at 5:40 AM, Bert Huijben <b.huijben_at_competence.biz> wrote:
> Why does serf ask to validate the entire chain?
>
> Every other client I know tries to validate certificates with a parent/root certificate and if that fails falls back to asking whether the user trusts the leaf certificate itself.

Well, it's technically OpenSSL that does this. Now, perhaps serf
could turn that off in OpenSSL, but, thinking about it, it makes sense
to also present the entire chain - this is what FF3 et al do now.

> If we would implement chain verification via the same api as the final certificate, the user would see several questions (in my case dialogs) before they can finally reach the https server. This is not common behavior.

Go view a site that has a self-signed root CA and a bad server cert in
FF3 and see how many times you have to explicitly approve your
requests.

I think the extra security is worth it, IMO.

> I also think you can expect to see collisions in certificate names, as you can have several different valid versions of an intermediate certificate with the same name..
> (I really wish this wouldn't be possible, as it took me a few days to find this issue on our server farm)

In the patch that I posted last week, I asked this question and got no
feedback from anyone. If you try to disambiguate by adding in the
realm name, then the user prompt gets foobared - as there isn't a way
to tell the prompter that the primary key and the display name are
different. So, I figured that this is a bikeshed and just went with
the risk that you could get a collision if you have poorly named
certs. The "failure" case is that the storage system would race and
you'd have to approve the intermediate certs each time. You're no
worse off than you were before - and it really highlights a failure of
that specific cert chain. -- justin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-11-14 16:02:26 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.