Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow 'static' fingerprints in the notary database #37

Closed
cless opened this issue Sep 4, 2011 · 4 comments
Closed

Allow 'static' fingerprints in the notary database #37

cless opened this issue Sep 4, 2011 · 4 comments

Comments

@cless
Copy link

cless commented Sep 4, 2011

Notary operators should have some way to tell their notary what the correct fingerprint for a host:port combination is and have the notary always trust the operator over what it sees. This would prevent a DNS compromise from being fatal. It would also allow the notary operators from running some sort of verification service much like what Certificate Authorities do while still maintaining all the awesome that convergence offers (Trust agility, etc)

I've written some code (cless/Convergence@23c79e1) that achieves this goal in part but I would like some input to finish it. In my patch static fingerprints don't expire and they always give the client the same timestamps. I'm not completely sure what the client does with the timestamps so I'm not sure what the impact of that is.
@ewanm89
Copy link

ewanm89 commented Sep 4, 2011

I'd suggest make this more a separate notary. I'm basically working on doing the same at the moment using SSL Observatories database as the certificates it's verifying against.

As for the actual timestamps, I think they might be used for caching purposes, but I'd have to go through the code to check.

@moxie0
Copy link
Owner

moxie0 commented Sep 4, 2011

The client doesn't currently do anything with timestamps, eventually I'd like to be able to use them to display visual certificate histories for sites, as well as warn when a certificate is fresh or has just changed.

@cless, I think @ewanm89 might be on the right track here. What might make sense is a notary backend that implements "certificate pinning," as Chrome does for Google properties in-browser. In this case, the pinning is usually done based on the actual public key in the cert, rather than the cert fingerprint itself.

@cless
Copy link
Author

cless commented Sep 5, 2011

Alright, I personally think it would be useful to have one implementation that has several backend modes so notary admins only have to keep track of one backend and its new features.
Another reason I think it's useful is because your notary will always need fallback methods. One operator couldn't pin every certificate in use today. New servers that aren't in the SSL observatory can't be verified that way either. Self signed certificates can't be verified by a CA notary.
Does the protocol have a reply that means the notary can't handle that particular request?

@moxie0
Copy link
Owner

moxie0 commented Sep 5, 2011

@cless Yes, a notary can respond with 303 to explicitly indicate that its vote should be withdrawn from the consensus, which is different from it voting negative in the consensus, being unreachable, or otherwise encountering an error.

@cless cless closed this as completed Sep 7, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ewanm89 @moxie0 @cless