#tlsnotary-chat

i'm getting 04 d8 d1 ... for facebook pubkey, anyone else? dansmith_btc , grandmaster, oakpacific , all?

sorry ignore that, forgot to switch to RSA

NSA is watching you

read about regin yet?

can i reinstate your Q from yesterday, when would a server send more than 1 certificate?

because i think i'm seeing that behaviour right now

7.4.2 RFC: "certificate_list

This is a sequence (chain) of X.509v3 certificates. The sender's

certificate must come first in the list. Each following

certificate must directly certify the one preceding it."

dansmith_btc, we maybe should be considering the implications of this in terms of what we take from the browser

i mean i'm reasonably confident that taking the first certificate and comparing it is fine. but we should know that for sure.

oakpacific, scotland-latvia connection here :) https://paybis.com/en

well, there are lots of these services around

like mysterious underground hawalas

waxwing, the browser gives you only one cert, which is *this* site's cert, it doesnt give you CA certs

dansmith_btc, yes i know

however i clearly saw an example of more than 1 cert

which is in line with the RFC; you have a variable length vector of certs according to the spec

certs len (3 bytes), [cert1 len (3 bytes), cert1, cert2 len(3 bytes), cert2...]

plus see what i wrote above from 7.4.2

i always those are simply certs of the CA higher up in the chain all the way to the root CA. there's always only 1 cert for the server in the Cert TLS msg.

*always thought

dansmith_btc, my best theory (although too busy to investigate) is that, according to the language in the rfc there, a site decides to create a sub-cert of its own cert and delivers that one, along with the one that certifies it.

that kind of makes sense i think

bottom line if browser says it's ok, we only need to check it's the same. seems reasonable?

dansmith_btc, am i right in saying that in the via-crypto-js execution path, we're not MAC-checking the server finished here?

no, aesjs only decrypts html (aesjs does a mac check internally), server finished is still being done somewhere with slowaes, waxwing

somewhere? the server finished mac check that i wrote is done in process_server_app_data_records.

sry, im confusing things

aesjs doesnt do mac check. still, server finished is done with slowaes

but where? i only did that check in process_server_app_data_records, did you do it somewhere else? dansmith_btc

process_server_ccs_finished

ok, i finally see what u mean :)

no biggie, i just wanted to sanity check. i'm redoing it now, i'll just make check_finished a separate small function and call it before the fork between slowaes and js

yeah it's confusing that there are two separate checks - checking the verify data, and checking the mac

belcher: hi

hey

any plan for christmas?

spend time with family

and code

see friends

usual stuff

im about to start coding now

listening to some stuff i found on soundcloud though

speaking of that, are you from a catholic or orthodox balkan country

catholic

right

just realize that i forgot islamic :)

oh yeah

hey listen to this https://soundcloud.com/scheinizzl/scheinizzl-ch...

if you like that kind of music, i dunno

oakpacific yeah also a bunch of atheists :p

hows the visa oakpacific ?

belcher: well, new shit today, digging myself out of it