From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: url library and GnuTLS, and Emacs-issued certificates (was: expand tls to elpa.gnu.org) Date: Mon, 21 Mar 2011 17:33:33 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <878vw8hznm.fsf_-_@lifelogs.com> References: <87mxkojpk4.fsf@lifelogs.com> <87hbawtbq7.fsf@stupidchicken.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1300747695 5861 80.91.229.12 (21 Mar 2011 22:48:15 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 21 Mar 2011 22:48:15 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Mar 21 23:48:11 2011 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Q1ntO-0003p8-S9 for ged-emacs-devel@m.gmane.org; Mon, 21 Mar 2011 23:48:09 +0100 Original-Received: from localhost ([127.0.0.1]:36327 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q1ntF-0002Wn-Pb for ged-emacs-devel@m.gmane.org; Mon, 21 Mar 2011 18:47:57 -0400 Original-Received: from [140.186.70.92] (port=48687 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q1nsw-0001bH-V3 for emacs-devel@gnu.org; Mon, 21 Mar 2011 18:47:44 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q1nfY-0004lA-Me for emacs-devel@gnu.org; Mon, 21 Mar 2011 18:33:52 -0400 Original-Received: from lo.gmane.org ([80.91.229.12]:53375) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q1nfY-0004l0-8O for emacs-devel@gnu.org; Mon, 21 Mar 2011 18:33:48 -0400 Original-Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Q1nfV-0006A0-RQ for emacs-devel@gnu.org; Mon, 21 Mar 2011 23:33:45 +0100 Original-Received: from 38.98.147.130 ([38.98.147.130]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 21 Mar 2011 23:33:45 +0100 Original-Received: from tzz by 38.98.147.130 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 21 Mar 2011 23:33:45 +0100 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 52 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: 38.98.147.130 X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" User-Agent: Gnus/5.110014 (No Gnus v0.14) Emacs/24.0.50 (gnu/linux) Cancel-Lock: sha1:dHkSh7SebDU3wwcqWRmZjgZMsdM= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 80.91.229.12 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:137501 Archived-At: On Mon, 21 Mar 2011 17:17:20 -0400 Chong Yidong wrote: CY> Ted Zlatanov writes: aj> so far there is no tls/ssl support for elpa.gnu.org . In my opinion aj> this is a real problem as there is no way to check the authenticity aj> and integrity of downloaded packages. Is it possible to expand the aj> certificate of gnu.org to elpa.gnu.org? aj> Of course this makes the package-manager not checking integrity - aj> but I think anyone interested in doing so can modify it without aj> problems. >> >> I can install a certificate but it has to be requested by the domain >> owner so I'm not sure who to bug about it. CY> Why not simply distribute the certificate file with Emacs? I assumed we'd want https://elpa.gnu.org/packages/ to look reasonable in a web browser. In any case, I think it's a good idea to set up an Emacs Certificate Authority (CA) so we can create certificates that Emacs will trust. We just need to ship the CA's certificate with Emacs then, not every certificate it has signed. We can then make a .p12 file that browser users can import to trust Emacs-signed certificates. It may make sense, though, to make this CA a facility for the whole GNU project and then the Emacs CA can be an intermediate CA hanging off that root CA. That should be decided before we start pushing out certificates, please, so we don't have to invalidate them later. CY> Also, the Emacs package manager uses the url library for downloading via CY> http. How well does that library support https? If I give CY> `url-retrieve-synchronously' a https url, does it currently DTRT? It's insecure currently and won't work on all platforms. It uses tls.el (see `url-https-create-secure-wrapper') which in turn relies on the gnutls-cli or openssl binaries to be installed and usable, calling gnutls-cli by default with --insecure (though the user can manually adjust that, see `tls-checktrust'). We need the GnuTLS support at the C level to make the url library secure through gnutls.el. I need to look at Claudio Bley's patch that was posted on emacs-devel 2 days ago and figure out what's wrong with hostname verification against the certificate. Once that's done we can promote gnutls.el+gnutls.c to "need testing" and make them the default for the url library, Gnus, etc. If anyone wants to help with any part of this process, please let me know. I'm slow, especially at the C level, so Claudio's help was very welcome. Thanks Ted