Re: How to perform SSL certificate validation ?

On Mon, 10 Jul 2006, Nagareshwar Talekar wrote:
3) Checks if the CA is trused.

I don't know how to perform the check for 3rd step. How can we
ensure that CA is trusted? One of my colleague told that I have to
store all trusted root certificates and then compare incoming
certificate with existing ones..

`Trusted' means it can violate your security policy [1], thus you
should put in this list only those CAs that *you* consider
trustworthy. The best option is to put in this list only a certificate
of a CA you have created yourself -- if you consider yourself
trustworthy, that is :-). Another good option is to put nothing and
require IT of you clients to decide whom *they* consider trustworthy.

[1] <>:

In the US Department of Defense, a `trusted system or
component' is defined as `one which can break the
security policy'. This might seem counter-intuitive at
first, but just stop to think about it. The mail guard
or firewall that stands between a Secret and a Top
Secret system can -- if it fails -- break the security
policy that mail should only ever flow from Secret to
Top Secret, but never in the other direction. It is
therefore trusted to enforce the information flow

Or take a civilian example: suppose you trust your
doctor to keep your medical records private. This means
that he has access to your records, so he could leak
them to the press if he were careless or malicious. You
don't trust me to keep your medical records, because I
don't have them; regardless of whether I like you or
hate you, I can't do anything to affect your policy that
your medical records should be confidential. Your doctor
can, though; and the fact that he is in a position to
harm you is really what is meant (at a system level)
when you say that you trust him. You may have a warm
feeling about him, or you may just have to trust him
because he is the only doctor on the island where you
live; no matter, the DoD definition strips away these
fuzzy, emotional aspects of `trust' (that can confuse


This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

Relevant Pages

  • RE: Boot floppy
    ... simple matter of policy that the IT department manages ... "Trust me it is secured." ... potentially sensitive data stored on servers. ... Are you using SPI, Watchfire or WhiteHat? ...
  • Re: Question about strong-name dlls
    ... > You only want to set trust on ONE assembly, but really, you don't need to. ... check your Security Policy for that OS. ... >>> How about copying and pasting the EXACT error message? ...
  • Re: how to programatically give assembly loaded from network the same trust as those loaded from loc
    ... I would like to programmatically configure policy. ... > require a high degree of trust. ... > 2) Create a custom code group that has that strong name as a membership ... > 3) Assign the code group a permission set that has only the permissions ...
  • Re: Can this be done by Group Policy?
    ... policy based on that strong name key to distribute to the workstations. ... It is also a good idea to not use Full Trust ... > can't execute their programs, unless we go around and use mscorcfg.msc to ... > set Local Intranet to Full Trust. ...