Re: SSL Bump Certificate Blacklist

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Tue, 20 Sep 2011 09:05:10 -0600

On 09/20/2011 05:46 AM, Fabian Hugelshofer wrote:
> On 09/16/2011 04:35 PM, Alex Rousskov wrote:
>> On 09/16/2011 12:55 AM, Fabian Hugelshofer wrote:
>>>>> What would you use to identify the certificates?
>>>>> - Serial number?
>>>>> - Serial number and common name?
>>>>> - Serial number and issuer?
>>>>> - Fingerprint (might not be available in each case)?
>>>>
>>>>
>>>> I hope somebody already answered these important questions in general
>>>> CRL context!
>>>
>>> CRLs use the serial number in combination with the issuer.
>
> The issuer name and the serial are probably not sufficient as there can
> be multiple CAs with the same name (certificates with different
> validity, different trust chains, ...).
>
>
>> If we implement a custom black list, we can be flexible and support all
>> of the above. To start with, I guess we should block all certificates
>> with DigiNotar in the chain.
>
>
> What are the next steps, would you like me to open a Squid Bug?

I believe the rule is that new features should be documented on wiki,
but opening a "feature request" bug report would not hurt, I guess.

Can you summarize the minimum number of new ACL types that you think we
should support to make this work? I know we want issuer name and serial
number. Do we want notBefore and notAfter matching? Anything else?

Do we need to be able to test a match against a certificate at Nth
position in the chain? Or can we always test all certificates in the chain?

It would be nice to hear from others regarding this issue to make sure
we are not missing something important.

Thank you,

Alex.
Received on Tue Sep 20 2011 - 15:05:58 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 22 2011 - 12:00:05 MDT