[Pkg-auth-maintainers] PKI / SSL activities
Tabibel Sami
sami.tabibel at gmail.com
Wed Jun 5 15:20:41 UTC 2013
Hi Daniel, Hi everybody
Thanks for your answer,
On reflecting on the points that you had given me, I feel that I need to
learn more about the problem, I need to understand what is (are) the
problem(s) with debian PKI ? and what is the aim of such project
(improving debian PKI) ?
why we need to share a default source for retrieving system certificate
anchors and black list information ? to interrogate SSL/TLS sockets ? and
how these process can prevent against fake certificate / increase security ?
what are the risks with the actual configuration ?
Any comments, explanations, any reference to docs are welcome.
Thanks in advance,
Regards.
Sami
On Tue, Jun 4, 2013 at 9:59 PM, Daniel Pocock <daniel at pocock.com.au> wrote:
>
>
> On 03/06/13 12:50, Tabibel Sami wrote:
> > Hi Daniel,
> > I have looked to the links you given me, and I will be interested by
> > the following Ideas:
> > * Implementing a library to do CRL/OCSP/blacklist checking and make
> > applications use it
> > * Implementing a tool that interrogate all open sockets that appear to
> > support TLS/SSL and report problems
>
> You are referring to sockets in the listening state, or all active sockets?
>
> > * tool to monitoring / review of sensitive directories and report on
> changes
> >
> > but I do not have a concrete idea about the work to be done and so I
> need your
> > advice to choose a topic.
> >
>
> You would probably be able to use a few approaches to discover certs on
> the filesystem:
>
> - inotify would provide a useful way to discover when programs access
> known certificate files
>
> - PEM files have some distinctive features. You can find them in
> various ways:
> a) they are usually not very big (less than 10kb)
> b) they contain certain patterns (e.g. beginning with ---)
>
> You could also look at packages such as ssl-cert-check:
> http://packages.debian.org/sid/ssl-cert-check
>
> to find interesting ideas.
>
> As a way forward, I would like to continue this discussion on one of the
> mailing lists. Could you subscribe to pkg-auth and reply to this email
> through the list? Then we might get some collaboration from other
> members of the Debian community.
>
> https://lists.alioth.debian.org/mailman/listinfo/pkg-auth-maintainers
>
> Regards,
>
> Daniel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-auth-maintainers/attachments/20130605/fe060e9b/attachment.html>
More information about the Pkg-auth-maintainers
mailing list