Unclear note

[doublex]

This note: Note 1: Minicrypto binding is capable of signing a handshake using the certificate's key, but cannot verify a signature sent by the peer.

Question: Does this mean that picotls is vulnerable to man-in-the-middle attacks when used as a client?

[huitema]

A client using picotls with the minicrypto backend is indeed vulnerable to MITM attacks. A client using picotls with the openssl backend is not. The MbedTLS work in progress would fix that, but using picotls with the MbedTLS backend is currently only supported when using the picoquic implementation of QUIC.

Servers using picotls and either backend are OK.

[doublex]

@huitema Do you think it would be complicated to implement signature verification in minicrypto?

[huitema]

It depends. If you want to support HTTP, for example, you must be able to verify the certificates commonly used on the web, and that means having implementations of RSA, ECDSA, etc. This means finding a package that implements them and can be used by picotls. Then, you will need to write the certificate chain verifier, with all its complexity. And you will have to deal with managing the error cases, decide whether to bypass them, etc. It can be a big job, and any bug translates into a security issue for the application.

An alternative would be, write that as a separate package, outside of picotls, and provide the certificate verification function that can be used by the application.