Opened 16 years ago

Last modified 15 years ago

#68 new enhancement

compute tubid from the root of a certificate chain

Reported by: Brian Warner Owned by:
Priority: minor Milestone: undecided
Component: usability Version: 0.2.5
Keywords: Cc:

Description

Somewhere I have a "key-management" document, describing a new way to deal with certificates. The idea is to use a certificate chain instead of a single cert, and to compute the tubid from the root of the chain. This would allow key-rotation.

Change History (2)

comment:1 Changed 16 years ago by Brian Warner

http://twistedmatrix.com/trac/ticket/711 was the old twisted/pb2 ticket for this.

comment:2 Changed 15 years ago by Brian Warner

Priority: majorminor

Note that this would make Foolscap vulnerable to weak hash algorithms used in signed certificates. At the moment, we only depend upon the SHA1 hash of the certificate itself, so even if !OpenSSL is creating MD5-self-signed certs by default, we aren't vulnerable to the collisions already found in MD5.

So implementing this, while perhaps making cert-rotation easier, could also hurt security.

Note: See TracTickets for help on using tickets.