Security Basics mailing list archives
Re: How to perform SSL certificate validation ?
From: Alexander Klimov <alserkli () inbox ru>
Date: Thu, 13 Jul 2006 17:55:02 +0300 (IDT)
On Mon, 10 Jul 2006, Nagareshwar Talekar wrote:
3) Checks if the CA is trused. I don't know how to perform the check for 3rd step. How can we ensure that CA is trusted? One of my colleague told that I have to store all trusted root certificates and then compare incoming certificate with existing ones..
`Trusted' means it can violate your security policy [1], thus you should put in this list only those CAs that *you* consider trustworthy. The best option is to put in this list only a certificate of a CA you have created yourself -- if you consider yourself trustworthy, that is :-). Another good option is to put nothing and require IT of you clients to decide whom *they* consider trustworthy. [1] <http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html>: In the US Department of Defense, a `trusted system or component' is defined as `one which can break the security policy'. This might seem counter-intuitive at first, but just stop to think about it. The mail guard or firewall that stands between a Secret and a Top Secret system can -- if it fails -- break the security policy that mail should only ever flow from Secret to Top Secret, but never in the other direction. It is therefore trusted to enforce the information flow policy. Or take a civilian example: suppose you trust your doctor to keep your medical records private. This means that he has access to your records, so he could leak them to the press if he were careless or malicious. You don't trust me to keep your medical records, because I don't have them; regardless of whether I like you or hate you, I can't do anything to affect your policy that your medical records should be confidential. Your doctor can, though; and the fact that he is in a position to harm you is really what is meant (at a system level) when you say that you trust him. You may have a warm feeling about him, or you may just have to trust him because he is the only doctor on the island where you live; no matter, the DoD definition strips away these fuzzy, emotional aspects of `trust' (that can confuse people). -- Regards, ASK --------------------------------------------------------------------------- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ---------------------------------------------------------------------------
Current thread:
- How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 11)
- RE: How to perform SSL certificate validation ? Ncssindia (Jul 13)
- Re: How to perform SSL certificate validation ? Alexander Klimov (Jul 13)
- <Possible follow-ups>
- RE: How to perform SSL certificate validation ? Robertson, Seth (JSC-IM) (Jul 14)