From: Ted Zlatanov <tzz@lifelogs.com>
To: ding@gnus.org
Subject: Re: Builtin GnuTLS support and certificate verification
Date: Mon, 04 Nov 2013 16:10:49 -0500 [thread overview]
Message-ID: <87li13q3dy.fsf@flea.lifelogs.com> (raw)
In-Reply-To: <m3zjpkndsd.fsf@neo.luffy.cx>
On Mon, 04 Nov 2013 20:54:26 +0100 Vincent Bernat <bernat@luffy.cx> wrote:
VB> I agree with you but I find odd to have two verification algorithms. I
VB> don't see the point of verifying the hostname if the certificate is
VB> invalid on some other points and I don't see the point of not verifying
VB> the hostname.
IIRC, the hostname is an optional part of a certificate and certificates
are not the only form of authentication. So there are two cases (verify
connection and verify certificate hostname).
VB> I mean, if you accept any valid certificate, it is trivial for me to
VB> present you with the certificate of my website. If you accept any
VB> invalid certificate with the right hostname, it is also trivial for me
VB> to build a self-signed certificate with the right hostname.
I think verifying the hostname is a subset of verifying the remote in
general. I just didn't express it well.
VB> So, for me, there should be only one verification algorithm. We are not
VB> in the ideal case for this because we only have one algorithm but its
VB> name does not exactly describe it.
VB> Maybe you could just alias verify-error and verify-hostname-error and
VB> say in the documentation that they do the same and that
VB> verify-hostname-error will be removed at some point?
I think :verify-error should be a list; when it contains 'x509-hostname
then we behave like :verify-hostname-error does now, for backwards
compatibility. But otherwise we'll add extra checks to the list, not as
top-level options to `gnutls-boot'. It's easy to put a Customize
interface on top of that.
Ted
next prev parent reply other threads:[~2013-11-04 21:10 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-02 11:22 Vincent Bernat
2013-11-02 11:27 ` Julien Danjou
2013-11-02 17:40 ` Vincent Bernat
2013-11-02 21:09 ` Vincent Bernat
2013-11-03 11:53 ` Ted Zlatanov
2013-11-04 19:54 ` Vincent Bernat
2013-11-04 21:10 ` Ted Zlatanov [this message]
2013-11-04 22:38 ` Vincent Bernat
2013-11-11 15:45 ` Ted Zlatanov
2013-11-16 11:18 ` Vincent Bernat
2013-11-16 13:11 ` Julien Danjou
2013-12-08 4:22 ` Ted Zlatanov
2013-12-08 8:39 ` Vincent Bernat
2013-12-08 16:08 ` Ted Zlatanov
2013-12-14 18:06 ` Ted Zlatanov
2013-12-16 1:39 ` Katsumi Yamaoka
2013-12-16 6:31 ` Herbert J. Skuhra
2013-12-16 13:51 ` Tassilo Horn
2013-12-16 15:25 ` Ted Zlatanov
2013-12-16 15:24 ` Ted Zlatanov
2013-12-16 15:27 ` Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87li13q3dy.fsf@flea.lifelogs.com \
--to=tzz@lifelogs.com \
--cc=ding@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).