Re: How to perform SSL certificate validation ?



On Mon, 10 Jul 2006, Nagareshwar Talekar wrote:
3) Checks if the CA is trused.

I don't know how to perform the check for 3rd step. How can we
ensure that CA is trusted? One of my colleague told that I have to
store all trusted root certificates and then compare incoming
certificate with existing ones..

`Trusted' means it can violate your security policy [1], thus you
should put in this list only those CAs that *you* consider
trustworthy. The best option is to put in this list only a certificate
of a CA you have created yourself -- if you consider yourself
trustworthy, that is :-). Another good option is to put nothing and
require IT of you clients to decide whom *they* consider trustworthy.

[1] <http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html>:

In the US Department of Defense, a `trusted system or
component' is defined as `one which can break the
security policy'. This might seem counter-intuitive at
first, but just stop to think about it. The mail guard
or firewall that stands between a Secret and a Top
Secret system can -- if it fails -- break the security
policy that mail should only ever flow from Secret to
Top Secret, but never in the other direction. It is
therefore trusted to enforce the information flow
policy.

Or take a civilian example: suppose you trust your
doctor to keep your medical records private. This means
that he has access to your records, so he could leak
them to the press if he were careless or malicious. You
don't trust me to keep your medical records, because I
don't have them; regardless of whether I like you or
hate you, I can't do anything to affect your policy that
your medical records should be confidential. Your doctor
can, though; and the fact that he is in a position to
harm you is really what is meant (at a system level)
when you say that you trust him. You may have a warm
feeling about him, or you may just have to trust him
because he is the only doctor on the island where you
live; no matter, the DoD definition strips away these
fuzzy, emotional aspects of `trust' (that can confuse
people).

--
Regards,
ASK

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------