Opened 16 years ago
Last modified 15 years ago
#68 new enhancement
compute tubid from the root of a certificate chain
Reported by: | Brian Warner | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | undecided |
Component: | usability | Version: | 0.2.5 |
Keywords: | Cc: |
Description
Somewhere I have a "key-management" document, describing a new way to deal with certificates. The idea is to use a certificate chain instead of a single cert, and to compute the tubid from the root of the chain. This would allow key-rotation.
Change History (2)
comment:1 Changed 16 years ago by
comment:2 Changed 15 years ago by
Priority: | major → minor |
---|
Note that this would make Foolscap vulnerable to weak hash algorithms used in signed certificates. At the moment, we only depend upon the SHA1 hash of the certificate itself, so even if !OpenSSL is creating MD5-self-signed certs by default, we aren't vulnerable to the collisions already found in MD5.
So implementing this, while perhaps making cert-rotation easier, could also hurt security.
http://twistedmatrix.com/trac/ticket/711 was the old twisted/pb2 ticket for this.