From: Julien Danjou <julien@danjou.info>
To: Vincent Bernat <bernat@luffy.cx>
Cc: ding@gnus.org
Subject: Re: Builtin GnuTLS support and certificate verification
Date: Sat, 16 Nov 2013 14:11:33 +0100 [thread overview]
Message-ID: <871u2g1ofu.fsf@dex.adm.naquadah.org> (raw)
In-Reply-To: <m338mwsig3.fsf@neo.luffy.cx> (Vincent Bernat's message of "Sat, 16 Nov 2013 12:18:52 +0100")
[-- Attachment #1: Type: text/plain, Size: 1696 bytes --]
On Sat, Nov 16 2013, Vincent Bernat wrote:
> By default, I would see that all checks are enabled by default: the
> certificate has not expired, the hostname matches and the certificate is
> signed by a known authority (certificates in `gnutls-trustfiles`).
+1
> When something goes wrong, we get a buffer with the certificate in
> "clear text" (like openssl x509 -in ... -noout -text). If needed, this
> is something that I can dig and provide C code for GNU TLS. This output
> contains the certificate fingerprint.
>
> A user has the possibility to whitelist the fingerprint and bypass any
> test. We should have both `gnutls-whitelist-certificates` variable and
> an option to override this whitelist when using gnutls-negotiate. The
> rationale is that we can't expect all gnutls-negotiate users to
> implement whitelisting.
>
> I think that whitelisting by fingerprint is an improvement over what is
> currently done by browsers which whitelist a whole domain without
> pinning the certificate.
>
> In the same way as for whitelisting, default verification options should
> be a variable with possibility to override it by using the appropriate
> option of `gnutls-negotiate`.
>
> Verification options could be:
>
> - `expired-certificate`
> - `revoked-certificate`
> - `untrusted-certificate`
> - `hostname-mismatch`
I think this is a really good idea and I'm waiting for that for a long
time. Since I don't have time to do this myself currently, consider this
message as a strong support. \o/
I'd be happy to help and test as far as I can.
--
Julien Danjou
-- Free Software hacker - independent consultant
-- http://julien.danjou.info
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 835 bytes --]
next prev parent reply other threads:[~2013-11-16 13:11 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-02 11:22 Vincent Bernat
2013-11-02 11:27 ` Julien Danjou
2013-11-02 17:40 ` Vincent Bernat
2013-11-02 21:09 ` Vincent Bernat
2013-11-03 11:53 ` Ted Zlatanov
2013-11-04 19:54 ` Vincent Bernat
2013-11-04 21:10 ` Ted Zlatanov
2013-11-04 22:38 ` Vincent Bernat
2013-11-11 15:45 ` Ted Zlatanov
2013-11-16 11:18 ` Vincent Bernat
2013-11-16 13:11 ` Julien Danjou [this message]
2013-12-08 4:22 ` Ted Zlatanov
2013-12-08 8:39 ` Vincent Bernat
2013-12-08 16:08 ` Ted Zlatanov
2013-12-14 18:06 ` Ted Zlatanov
2013-12-16 1:39 ` Katsumi Yamaoka
2013-12-16 6:31 ` Herbert J. Skuhra
2013-12-16 13:51 ` Tassilo Horn
2013-12-16 15:25 ` Ted Zlatanov
2013-12-16 15:24 ` Ted Zlatanov
2013-12-16 15:27 ` Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871u2g1ofu.fsf@dex.adm.naquadah.org \
--to=julien@danjou.info \
--cc=bernat@luffy.cx \
--cc=ding@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).