Security Basics mailing list archives

Re: How to perform SSL certificate validation ?

From: Alexander Klimov <alserkli () inbox ru>
Date: Thu, 13 Jul 2006 17:55:02 +0300 (IDT)

On Mon, 10 Jul 2006, Nagareshwar Talekar wrote:

      3) Checks if the CA is trused.

I don't know how to perform the check for 3rd step. How can we
ensure that CA is trusted? One of my colleague told that I have to
store all trusted root certificates and then compare incoming
certificate with existing ones..


`Trusted' means it can violate your security policy [1], thus you
should put in this list only those CAs that *you* consider
trustworthy. The best option is to put in this list only a certificate
of a CA you have created yourself -- if you consider yourself
trustworthy, that is :-). Another good option is to put nothing and
require IT of you clients to decide whom *they* consider trustworthy.

[1] <http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html>:

    In the US Department of Defense, a `trusted system or
    component' is defined as `one which can break the
    security policy'. This might seem counter-intuitive at
    first, but just stop to think about it. The mail guard
    or firewall that stands between a Secret and a Top
    Secret system can -- if it fails -- break the security
    policy that mail should only ever flow from Secret to
    Top Secret, but never in the other direction. It is
    therefore trusted to enforce the information flow
    policy.

    Or take a civilian example: suppose you trust your
    doctor to keep your medical records private. This means
    that he has access to your records, so he could leak
    them to the press if he were careless or malicious. You
    don't trust me to keep your medical records, because I
    don't have them; regardless of whether I like you or
    hate you, I can't do anything to affect your policy that
    your medical records should be confidential. Your doctor
    can, though; and the fact that he is in a position to
    harm you is really what is meant (at a system level)
    when you say that you trust him. You may have a warm
    feeling about him, or you may just have to trust him
    because he is the only doctor on the island where you
    live; no matter, the DoD definition strips away these
    fuzzy, emotional aspects of `trust' (that can confuse
    people).

-- 
Regards,
ASK

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and  
practice to master. We can't teach you to hack. But we can teach you  
what we've learned so far. Our courses are honest, real, technical  
and practical. SensePost willl be at Black Hat Vegas in July. To see  
what we're about, visit us at: 

http://www.sensepost.com/training.html
---------------------------------------------------------------------------

Current thread:

How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 11)
- RE: How to perform SSL certificate validation ? Ncssindia (Jul 13)
- Re: How to perform SSL certificate validation ? Alexander Klimov (Jul 13)
- <Possible follow-ups>
- RE: How to perform SSL certificate validation ? Robertson, Seth (JSC-IM) (Jul 14)