From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/67543
Path: news.gmane.org!not-for-mail
From: Simon Josefsson <simon@josefsson.org>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: Bug#499774: starttls is a joke
Date: Wed, 08 Oct 2008 00:41:25 +0200
Message-ID: <87abdgt4dm.fsf@mocca.josefsson.org>
References: <871vzca7gp.fsf@natisbad.org> <87y71kpmq7.fsf@bubble.risko.hu>
	<87od2g31hf.fsf@natisbad.org>
	<87tzc8upgf.fsf@marauder.physik.uni-ulm.de>
	<87fxnsjfu3.fsf@mocca.josefsson.org> <87wsh4gjgi.fsf@natisbad.org>
	<87prmjjosn.fsf@mocca.josefsson.org>
	<m3vdw4rva0.fsf@merlin.emma.line.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1223419358 7632 80.91.229.12 (7 Oct 2008 22:42:38 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 7 Oct 2008 22:42:38 +0000 (UTC)
Cc: Daiki Ueno <ueno@unixuser.org>,  RISKO Gergely <risko@debian.org>,  ding@gnus.org
To: Matthias Andree <matthias.andree@gmx.de>
Original-X-From: ding-owner+M15994@lists.math.uh.edu Wed Oct 08 00:43:34 2008
Return-path: <ding-owner+M15994@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1KnLH6-0003DJ-Lh
	for ding-account@gmane.org; Wed, 08 Oct 2008 00:43:29 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M15994@lists.math.uh.edu>)
	id 1KnLFL-00073w-2T; Tue, 07 Oct 2008 17:41:39 -0500
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <simon@josefsson.org>)
	id 1KnLFJ-00073a-IQ
	for ding@lists.math.uh.edu; Tue, 07 Oct 2008 17:41:37 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtp (Exim 4.69)
	(envelope-from <simon@josefsson.org>)
	id 1KnLFD-0003Qq-2X
	for ding@lists.math.uh.edu; Tue, 07 Oct 2008 17:41:37 -0500
Original-Received: from yxa-v.extundo.com ([83.241.177.39] ident=Debian-exim)
	by quimby.gnus.org with esmtp (Exim 3.36 #1 (Debian))
	id 1KnLFI-00015f-00
	for <ding@gnus.org>; Wed, 08 Oct 2008 00:41:36 +0200
Original-Received: from c80-216-18-41.bredband.comhem.se ([80.216.18.41] helo=mocca.josefsson.org)
	by yxa-v.extundo.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.63)
	(envelope-from <simon@josefsson.org>)
	id 1KnLF8-0001h9-Cy; Wed, 08 Oct 2008 00:41:27 +0200
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:081007:risko@debian.org::FquLR+3KCMpjR/nG:kDV
X-Hashcash: 1:22:081007:ueno@unixuser.org::EuCeHXsMiWY+TOhN:3841
X-Hashcash: 1:22:081007:ding@gnus.org::uBQRgAIa8qa8RbHg:6C0J
X-Hashcash: 1:22:081007:matthias.andree@gmx.de::wACmQdUYPXsVQpRp:7ABI
In-Reply-To: <m3vdw4rva0.fsf@merlin.emma.line.org> (Matthias Andree's message
	of "Tue, 07 Oct 2008 22:43:19 +0200")
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux)
X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.2.3 (2007-08-08) host=yxa-v.extundo.com
X-Spam-Score: -2.6 (--)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:67543
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/67543>

Matthias Andree <matthias.andree@gmx.de> writes:

> [Stripping Debian BTS bug from Cc: list]
>
> Simon Josefsson <simon@josefsson.org> writes:
>
>> arno@natisbad.org (Arnaud Ebalard) writes:
>>
>>>>>> "This software does not have any authentication capabilities: it does
>>>>>> not allow you to authenticate your peer, which is a basic requirement
>>>>>> for TLS/SSL to be used securely. You should only use it for testing
>>>>>> purposes and not relaying important information. Be aware that you are
>>>>>> vulnerable to MITM when using it"
>>>>
>>>> That seems correct to me.
>>>>
>>>> Note that even if you use gnutls-cli, you need to configure it to use
>>>> appropriate trust anchors to get full security.
>>>                                    ^^^^^^^^^^^^^
>>>
>>> I hope you mean "a working setup". If you do not provide it any (set of)
>>> trust anchor, it should not be able to verify server's certificate and
>>> should fail, shouldn't it?
>>
>> Right, and that's what I meant with "you need to configure it to use
>> appropriate trust anchors".  If you do that, you should get full
>> security (whatever that means).
>
> Please change that for gnutls-cli 2.8.0 - preferably, the tool should
> get a new name then to make the change of paradigm obvious to consumers
> such as Gnus.

You've lost me, exactly what change are you talking about?  And what is
wrong today?

/Simon