On 05/07/2014 03:51 PM, Werner Koch wrote: > On Wed, 7 May 2014 18:17, kristian.fiskerstr...@sumptuouscapital.com said:
>> I strongly suggest using the original hostname provided as SNI when >> performing keyserver lookups, this is also consistent with current > > Okay. What about a dirmngr options to enable or disable the use of the > pool name? I agree with Kristian that the name given by the user should be the name sent to the remote server, and should also be the name checked against the certificate. Using a DNS reverse lookup to modify the name supplied to the remote host is a violation of the security assumptions that underpin the goal of using TLS in this case. If i understand the reverse DNS lookup Werner is describing correctly, an attacker capable of spoofing the DNS should be able to modify the name that the client expects. C: Client D: DNS resolver (could be compromised) S: server C→D: give me the address for keys.example.org D→C: keys.example.org is at 192.0.2.3 C→D: what is the name for 192.0.2.3? D→C: the name for 192.0.2.3 is evilsite.example C→S: hi, i would like evilsite.example S→C: sure, here is my certificate for evilsite.example So any S just needs a certificate for *any* domain from a trusted X.509 root authority, if the attacker able to take over or poison D. Kerberos used to do a similar DNS reverse lookup, and they no longer recommend doing it because of the same security concerns. --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel