[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #11464 [Tor]: Implement a blacklist for authority certificate signing keys
#11464: Implement a blacklist for authority certificate signing keys
-------------------------------------------------+-------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor:
Component: Tor | 0.2.5.x-final
Keywords: tor-client 024-backport | Version:
023-backport heartbleed | Actual Points:
Parent ID: | Points:
-------------------------------------------------+-------------------------
For background see https://lists.torproject.org/pipermail/tor-
dev/2014-April/006663.html and https://lists.torproject.org/pipermail/tor-
dev/2014-April/006664.html .
We should have a way to blacklist authority signing keys at the client-
side. In the longer term, we should implement a full on revocation (see
#11458), but for now, we can at least revoke certificates hard by
blacklisting them client-side.
I think that the right way to do this is to have any signing keys on that
blacklist always have their signatures treated as "BAD". This doesn't
prevent us from fetching or holding those certs, and so doesn't mess up
our cert fetching code.
Obviously, any fix here is a backport candidate.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11464>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs