-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/11/09 22:15, Karl O. Pinc wrote: > On 11/11/2009 06:26:04 AM, David Sommerseth wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 11/11/09 12:06, Mathieu GIANNECCHINI wrote: >>> Victor Wagner a écrit : > >>>> But if entire certificate would be available, it would be possible >> to >>>> extract any information from it (or hash it with any algorithm) >> from the >>>> script using openssl command line utility or some binding or >> OpenSSL >>>> libraries to the choosen script language. > >> Indeed! And you're about to get my vote for this implementation ... >> but >> I have two concerns. > >> 2) If an attacker sends a certificate with his certificate and 999 CA >> certificates in a chain, what will happen? What happens if the disk >> goes full or the certificate cannot be written? > > You're a lot less likely to fill the disk than you are to run out > of RAM.
Indeed true, but its also a scenario to consider. If the certificates cannot be written to either memory or disk, proper error handling must make sure the situation is handled correctly. And running openvpn on embedded systems with small filesystems or RAM disks can cause this error as well. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7zycACgkQDC186MBRfrryuACgjw9Je6aQWGNeCbWQRDWfGdCg x7QAoI5ETmIDWNXhycJN5TrRbydM1Tij =HrZ/ -----END PGP SIGNATURE-----
