Thanks all for the input. The most preferred option was
implementation an additional trust store feature that would, if
enabled, disallow the use of expired trust anchors ('b') using the
approach of re-computing the certification path ('2') .
I intend to implement this under QPID-7867 over the nex
On 2 August 2017 at 17:01, Rob Godfrey wrote:
> On 2 August 2017 at 17:43, Lorenz Quack wrote:
>
>> Hi all,
>>
>> tl;dr
>> =
>> I think overall if it would come to a vote right now I would vote like
>> this:
>> a) -1
>> b.1) -1
>> b.2) +0
>> c) +1
>>
>>
> I think I'd vote for implementing opt
I would vote for implementation of option b.2, as it looks to me as a
security improvement. It should resolve the issue reported by Martin and
should disallow all expired trust anchors in general.
Kind Regards,
Alex
On 2 August 2017 at 11:50, Keith W wrote:
> Hello
>
> Martin Krasa raised JIRA
ad a) This would solve the issue when the "peers only" truststore is used.
The point that without the "peers only" store you can easily circumvent
this is valid, but I don't think that this new feature would make the
situation any worse. Perhaps the code it self can be included directly in
the Peer
On 2 August 2017 at 17:43, Lorenz Quack wrote:
> Hi all,
>
> tl;dr
> =
> I think overall if it would come to a vote right now I would vote like
> this:
> a) -1
> b.1) -1
> b.2) +0
> c) +1
>
>
I think I'd vote for implementing option b.2), or option a) but only for
"peers only" truststores (si
Hi all,
tl;dr
=
I think overall if it would come to a vote right now I would vote like this:
a) -1
b.1) -1
b.2) +0
c) +1
reasoning follows inline:
On Wed, 2017-08-02 at 15:13 +0100, Keith W wrote:
> If we were to add a feature to help the use-case, we'd need to decide
> on the scope.
>
> Th
Correcting two typos.
On 2 August 2017 at 15:13, Keith W wrote:
> If we were to add a feature to help the use-case, we'd need to decide
> on the scope.
>
> The alternatives I see:
>
> (a) validate the expiration of self-signed certificates used for
> authentication purposes only
>
> (b) broaden t
If we were to add a feature to help the use-case, we'd need to decide
on the scope.
The alternatives I see:
(a) validate the expiration of self-signed certificates used for
authentication purposes only
(b) broaden the feature. Disallow all expired trust anchors.This
which would include (a) but
Hello
Martin Krasa raised JIRA QPID-7867 [1] on 21st July. As the JIRA
possibly eluded to a potential security issue, the initial discussion
was held in private on the Qpid private / Apache security lists. We
have now reached a point where there is a agreement that there is no
security issue a