From: Vincent Bernat <bernat@luffy.cx>
To: ding@gnus.org
Subject: Re: Builtin GnuTLS support and certificate verification
Date: Sat, 16 Nov 2013 12:18:52 +0100 [thread overview]
Message-ID: <m338mwsig3.fsf@neo.luffy.cx> (raw)
In-Reply-To: <87r4anhrh3.fsf@flea.lifelogs.com> (Ted Zlatanov's message of "Mon, 11 Nov 2013 10:45:44 -0500")
❦ 11 novembre 2013 16:45 CET, Ted Zlatanov <tzz@lifelogs.com> :
> VB> But I suppose you would have to implement a "confirm on error"
> VB> option. I cannot propose myself to implement that since I have
> VB> absolutely no clue on how Emacs Lisp interface with C.
>
> I'm interested in your opinion. How would you expect Emacs (on the
> GnuTLS C level or on the Gnus level) to handle these cases, and how
> would you control them with customizable variables?
>
> - expired cert
> - hostname mismatch
> - self-signed cert, first time seen
> - cert mismatch
>
> In general we have the problem of asking questions in the middle of
> establishing a network connection. This is not easy with Emacs, whose
> interactive ELisp layer is too complicated to be reliably called from
> the C layer. So all of the above have to work without user
> interaction.
Not being able to interact with the user is not a big problem I think:
we can still output messages to tell her what to do, right?
By default, I would see that all checks are enabled by default: the
certificate has not expired, the hostname matches and the certificate is
signed by a known authority (certificates in `gnutls-trustfiles`).
When something goes wrong, we get a buffer with the certificate in
"clear text" (like openssl x509 -in ... -noout -text). If needed, this
is something that I can dig and provide C code for GNU TLS. This output
contains the certificate fingerprint.
A user has the possibility to whitelist the fingerprint and bypass any
test. We should have both `gnutls-whitelist-certificates` variable and
an option to override this whitelist when using gnutls-negotiate. The
rationale is that we can't expect all gnutls-negotiate users to
implement whitelisting.
I think that whitelisting by fingerprint is an improvement over what is
currently done by browsers which whitelist a whole domain without
pinning the certificate.
In the same way as for whitelisting, default verification options should
be a variable with possibility to override it by using the appropriate
option of `gnutls-negotiate`.
Verification options could be:
- `expired-certificate`
- `revoked-certificate`
- `untrusted-certificate`
- `hostname-mismatch`
--
Let the machine do the dirty work.
- The Elements of Programming Style (Kernighan & Plauger)
next prev parent reply other threads:[~2013-11-16 11:18 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-02 11:22 Vincent Bernat
2013-11-02 11:27 ` Julien Danjou
2013-11-02 17:40 ` Vincent Bernat
2013-11-02 21:09 ` Vincent Bernat
2013-11-03 11:53 ` Ted Zlatanov
2013-11-04 19:54 ` Vincent Bernat
2013-11-04 21:10 ` Ted Zlatanov
2013-11-04 22:38 ` Vincent Bernat
2013-11-11 15:45 ` Ted Zlatanov
2013-11-16 11:18 ` Vincent Bernat [this message]
2013-11-16 13:11 ` Julien Danjou
2013-12-08 4:22 ` Ted Zlatanov
2013-12-08 8:39 ` Vincent Bernat
2013-12-08 16:08 ` Ted Zlatanov
2013-12-14 18:06 ` Ted Zlatanov
2013-12-16 1:39 ` Katsumi Yamaoka
2013-12-16 6:31 ` Herbert J. Skuhra
2013-12-16 13:51 ` Tassilo Horn
2013-12-16 15:25 ` Ted Zlatanov
2013-12-16 15:24 ` Ted Zlatanov
2013-12-16 15:27 ` Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m338mwsig3.fsf@neo.luffy.cx \
--to=bernat@luffy.cx \
--cc=ding@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).