[kmail2] [Bug 385687] certification path validation

bugzilla_noreply at kde.org bugzilla_noreply at kde.org
Tue May 8 14:24:09 BST 2018


https://bugs.kde.org/show_bug.cgi?id=385687

--- Comment #7 from ekaratsiolis at mtg.de ---
Hallo,

please find an evaluation of the test cases below:

CERT_PATH_ALGO_STRENGTH_01 (and ..._02).

Lots of libraries still accept weak algorithms for compatibility reasons. This
does not prohibit the user for example to use them for verifying a digital
signature and accept rogue (or valid) certificates. The possibility to
configure which algorithms are accepted could be an option here.

CERT_PATH_COMMON_05.

For KMail this leads to present the email as a normal email. Here someone could
just flip a few bits and the receiver cannot notice that there was a problem.
Wrongly encoded certificates are infamous for buffer overflows.

CERT_PATH_COMMON_08 (and ..._10).

This is important since expired certificates are allowed to be removed from the
CRL. Not checking whether a certificate has expired may result to a missed
revocation.

Please note that there are other so called validity models (chain model and
hybrid model) where this check is not that important, in the internet PKI
however the shell model is used (everything must be valid in verification time)
and this check is important.

CERT_PATH_COMMON_13

This is not conforming to the specification, which allows self-signed
certificates in the path. This does not happen often in practice.

CERT_PATH_EMAIL_04

This is not conforming to the specification, which mandates this certain
extended key usages (see RFC 5280 [Sec. 4.2.1.12] and RFC 5750 [Sec. 4.4.4]).
If a CA needs to limit the usage of a certificate (for whatever reason) this is
not taken into consideration by the client.

Best Regards

Vangelis

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the Kdepim-bugs mailing list