[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Trust On First Use & GSoC 2015 participation
From: |
Ángel González |
Subject: |
Re: [Bug-wget] Trust On First Use & GSoC 2015 participation |
Date: |
Fri, 13 Mar 2015 21:40:08 +0100 |
User-agent: |
Thunderbird |
(adding back the list)
On 13/03/15 16:53, Molnár Géza wrote:
Hi Ángel.
"Try to come up with a few options and submit them to the list.
A potential problem is that wget can be used either as an interactive
tool than as a batch one. It isn't appropiate that a cron job stops
asking if it should trust a certificate (ok, here we would just chack
isatty), but what to do if after 6 hours downloading recursively, the
process finds an unknown certificate? How to combine with the
traditional PKI ssl? Maybe in the future we will want to support DANE,
and design the switches supporting that, too?"
The first thing that came to my mind was to introduce a new command
line switch eg. --trust-on-first-use. This would be used to tell wget
to print a warning about a certificate the has an unknown issuer, but
save it to ~/.wget/trusted_certs forder. (or somewhere else) one file
per certificate and continue downloading. Once a certificate was
downloaded using this switch i would no longer be necessarry to use
--trust-on-first-use to download from that server. Does this behavior
seem logical?
As for the implementation: As I can see wget already supports external
certificate verification using ‘--ca-directory=directory’. I'm sure it
would be easy to make use of this feature to implement trust on first
use. This solution could work with every ssl lib supported at the time
and perhaps DANE in the future. Am I going in the right right
direction here?
So you would need to use --ca-directory=~/.wget/trusted_certs on next runs?
I think you would need to use a switch like --trust-model¹
trust-on-first-use (typically set on .wgetrc) to enter into TOFU mode.
There's also the dilemma if the normal PKI shall be trusted in TOFU or
not (I don't think it should trust, but maybe it should if PKI was also
listed in the --trust-model, or there's a --ca-directory and the signing
CA is there).
¹ This is the same switch name used by gpg
PS: ~/.wget wouldn't be the best path, see
http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
albeit I'm not sure if such trust is 'configuration' or 'data'.
(During the week I implemented tofu using the gnutls's
gnutls_verify_stored_pubkey () and gnutls_store_pubkey() and it
worked, but I realized it is not a good idea to implement this for
every ssl lib independently)
I have been looking, and gnutls seems to almost provide it. If there's a
big difference, it could be a gnutls-only option, but it should at least
accept such switches and do something with openssl (I'm not sure if it
should fail or ignore it with a warning)
If the above seems ok, I'll start working on it and post a patch by
tomorrow afternoon.
Thanks
Geza
Cheers