[Pkg-auth-maintainers] PKI / SSL activities

Daniel Pocock daniel at pocock.com.au
Wed Jun 5 21:45:45 UTC 2013



On 05/06/13 17:20, Tabibel Sami wrote:
> Hi Daniel,  Hi everybody
> 
> Thanks for your answer,
> 
> On reflecting on the points that you had given me, I feel that I need to
> learn more about the problem, I need to understand what is (are) the
> problem(s) with debian PKI ?  and what is the aim of such project
> (improving debian PKI) ?
> why we need to share a default source for retrieving system certificate
> anchors and black list information ?  to interrogate SSL/TLS sockets ? and
> how these process can prevent against fake certificate / increase security ?
> what are the risks with the actual configuration ?

Hi Sami,

I'm glad you want to continue investigating things in this area even if
we can't provide this opportunity with GSoC

I must emphasize, you need to take some initiative to try things - even
to experiment with them.  My impression so far is that you understand
the basic theories, e.g. the hashes we discussed, but you need to
practice with some of the tools that people use on Debian (and all UNIX
systems)

Have you ever tried setting up a HTTPS web server for example?  The
apache2 web server is a common one.  CACert.org provides free SSL
certificates that you can use for testing.  I think that is probably a
good first step - once you have a server with a certificate on it, you
will then be able to make a more practical examination of some of the
issues that need to be addressed.

Regards,

Daniel


> Any comments, explanations, any reference to docs are welcome.
> 
> Thanks in advance,
> Regards.
> 
> Sami
> 
> On Tue, Jun 4, 2013 at 9:59 PM, Daniel Pocock <daniel at pocock.com.au> wrote:
> 
>>
>>
>> On 03/06/13 12:50, Tabibel Sami wrote:
>>> Hi Daniel,
>>>     I have looked to the links you given me, and I will be interested by
>>> the following Ideas:
>>> * Implementing a library to do CRL/OCSP/blacklist checking and make
>>> applications use it
>>> * Implementing a tool that interrogate all open sockets that appear to
>>> support TLS/SSL and report problems
>>
>> You are referring to sockets in the listening state, or all active sockets?
>>
>>> * tool to monitoring / review of sensitive directories and report on
>> changes
>>>
>>> but I do not have a concrete idea about the work to be done and so I
>> need your
>>> advice to choose a topic.
>>>
>>
>> You would probably be able to use a few approaches to discover certs on
>> the filesystem:
>>
>> - inotify would provide a useful way to discover when programs access
>> known certificate files
>>
>> - PEM files have some distinctive features.  You can find them in
>> various ways:
>> a) they are usually not very big (less than 10kb)
>> b) they contain certain patterns (e.g. beginning with ---)
>>
>> You could also look at packages such as ssl-cert-check:
>> http://packages.debian.org/sid/ssl-cert-check
>>
>> to find interesting ideas.
>>
>> As a way forward, I would like to continue this discussion on one of the
>> mailing lists.  Could you subscribe to pkg-auth and reply to this email
>> through the list?  Then we might get some collaboration from other
>> members of the Debian community.
>>
>> https://lists.alioth.debian.org/mailman/listinfo/pkg-auth-maintainers
>>
>> Regards,
>>
>> Daniel
>>
>>
> 



More information about the Pkg-auth-maintainers mailing list