Ticket #68 (new enhancement)

Opened 2 years ago

Last modified 9 months ago

compute tubid from the root of a certificate chain

Reported by: warner Assigned to:
Priority: minor Milestone: undecided
Component: usability Version: 0.2.5
Keywords: Cc:

Description

Somewhere I have a "key-management" document, describing a new way to deal with certificates. The idea is to use a certificate chain instead of a single cert, and to compute the tubid from the root of the chain. This would allow key-rotation.

Change History

06/16/08 12:07:21 changed by warner

http://twistedmatrix.com/trac/ticket/711 was the old twisted/pb2 ticket for this.

05/19/09 15:46:45 changed by warner

  • priority changed from major to minor.

Note that this would make Foolscap vulnerable to weak hash algorithms used in signed certificates. At the moment, we only depend upon the SHA1 hash of the certificate itself, so even if !OpenSSL is creating MD5-self-signed certs by default, we aren't vulnerable to the collisions already found in MD5.

So implementing this, while perhaps making cert-rotation easier, could also hurt security.