Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Completion of implementation: valexp predicates #29

Open
vanrein opened this issue Jun 19, 2016 · 1 comment
Open

Completion of implementation: valexp predicates #29

vanrein opened this issue Jun 19, 2016 · 1 comment
Assignees
@vanrein
Labels
bug enhancement
Milestone
release 1.0

Comments

@vanrein
Copy link
Contributor

vanrein commented Jun 19, 2016

The various predicates are not completely implemented in starttls.c yet, and should be. These are the missing pieces:

  • L and l should be related to cryptographic security strength levels, which ought to be defined in an invariant formulation
  • I and i are currently dangerously insecure -- they check the remote identity but forego the comparison to the remote identity
  • A relies on cmd->valflag which is not currently set yet
  • D and d are untested, and founded on badly documented GnuTLS logic; perhaps rephrase in online.c functionality, and dispatch of the extra GnuTLS library with DANE support
  • R and r should get hold of revocation information
  • E and e should lookup Extended Key Usage OIDs, depending on the service at hand
  • P and p should be implemented by looking into trust.db (and possibly adding a value)
  • U and u are not implemented (but actually documented as part of I and i, double attention?)

Note that the rest is working quite nicely -- T and t for instance, as well as I and i as a check for presence of an identity (and only that) and G and g for various global directory patterns, and O and o for various online verifications, and C, c, S, s to check for roles, and F for demanding forward secrecy. On top of that, the logic works very well and the integration within starttls_thread() seems to be quite alright. We have effectively replaced the gnutls_verify() functionality, which is a big step towards the flexible and configurable validation expressions that we aspire for the TLS Pool.
vanrein added a commit that referenced this issue Jun 19, 2016
@vanrein
First delivery of the validation framework
ec4a9bf 
 - The valexp logic has been implemented and integrated properly
 - The gnutls_validate() functionality is no longer statically run
 - Files issues #27 #28 #29 on GitHUB, with unfinished work
@vanrein vanrein mentioned this issue Jun 19, 2016
Merged
@vanrein vanrein added this to the release 1.0 milestone Mar 23, 2019
@vanrein vanrein self-assigned this Mar 28, 2019
@vanrein
Copy link
Contributor Author

vanrein commented Mar 28, 2019

Added for #85 (Prepare for Quantum Computing):

  • Q and q require the connection to be proofed against Quantum Computing; q refers to authentication and Q refers to encryption of the application level; there is currently no flag to protect the names exchanged during the handshake, but we may expand the definition of Q to that end when it becomes practical in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vanrein vanrein

Labels
bug enhancement
Projects
None yet
Milestone
release 1.0
Development

No branches or pull requests
1 participant
@vanrein