From: Ted Zlatanov <tzz@lifelogs.com>
To: emacs-devel@gnu.org
Subject: Re: url library and GnuTLS, and Emacs-issued certificates
Date: Wed, 23 Mar 2011 10:30:29 -0500 [thread overview]
Message-ID: <87ei5xsvl6.fsf@lifelogs.com> (raw)
In-Reply-To: 878vw8hznm.fsf_-_@lifelogs.com
On Mon, 21 Mar 2011 17:33:33 -0500 Ted Zlatanov <tzz@lifelogs.com> wrote:
TZ> On Mon, 21 Mar 2011 17:17:20 -0400 Chong Yidong <cyd@stupidchicken.com> wrote:
CY> Ted Zlatanov <tzz@lifelogs.com> writes:
aj> so far there is no tls/ssl support for elpa.gnu.org . In my opinion
aj> this is a real problem as there is no way to check the authenticity
aj> and integrity of downloaded packages. Is it possible to expand the
aj> certificate of gnu.org to elpa.gnu.org?
aj> Of course this makes the package-manager not checking integrity -
aj> but I think anyone interested in doing so can modify it without
aj> problems.
>>>
>>> I can install a certificate but it has to be requested by the domain
>>> owner so I'm not sure who to bug about it.
CY> Why not simply distribute the certificate file with Emacs?
TZ> I assumed we'd want https://elpa.gnu.org/packages/ to look reasonable in
TZ> a web browser.
TZ> In any case, I think it's a good idea to set up an Emacs Certificate
TZ> Authority (CA) so we can create certificates that Emacs will trust. We
TZ> just need to ship the CA's certificate with Emacs then, not every
TZ> certificate it has signed. We can then make a .p12 file that browser
TZ> users can import to trust Emacs-signed certificates.
TZ> It may make sense, though, to make this CA a facility for the whole GNU
TZ> project and then the Emacs CA can be an intermediate CA hanging off that
TZ> root CA. That should be decided before we start pushing out
TZ> certificates, please, so we don't have to invalidate them later.
Any opinions on this? It's really not hard to set up the CA stuff but
I'd like to know what people think before I do it. It really seems like
it should be a GNU-level or FSF-level facility.
CY> Also, the Emacs package manager uses the url library for downloading via
CY> http. How well does that library support https? If I give
CY> `url-retrieve-synchronously' a https url, does it currently DTRT?
TZ> It's insecure currently and won't work on all platforms. It uses tls.el
TZ> (see `url-https-create-secure-wrapper') which in turn relies on the
TZ> gnutls-cli or openssl binaries to be installed and usable, calling
TZ> gnutls-cli by default with --insecure (though the user can manually
TZ> adjust that, see `tls-checktrust'). We need the GnuTLS support at the C
TZ> level to make the url library secure through gnutls.el.
TZ> I need to look at Claudio Bley's patch that was posted on emacs-devel 2
TZ> days ago and figure out what's wrong with hostname verification against
TZ> the certificate. Once that's done we can promote gnutls.el+gnutls.c to
TZ> "need testing" and make them the default for the url library, Gnus, etc.
This work is almost done. But probably a better approach than relying
directly on gnutls.el is to make url.el use proto-stream.el from Gnus,
which handles most of the connection details automatically whether Emacs
has GnuTLS support build-in or not. I looked at it in order to make the
new GnuTLS support work properly and it seems like a good general
facility, not just for Gnus.
proto-stream.el doesn't depend on any Gnus internals, it's a standalone
library. It could live in net/ in the Emacs repo.
Thanks
Ted
next prev parent reply other threads:[~2011-03-23 15:30 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-19 16:21 expand tls to elpa.gnu.org axel.junker
2011-03-21 18:28 ` Ted Zlatanov
2011-03-21 21:17 ` Chong Yidong
2011-03-21 22:33 ` url library and GnuTLS, and Emacs-issued certificates (was: expand tls to elpa.gnu.org) Ted Zlatanov
2011-03-23 15:30 ` Ted Zlatanov [this message]
2011-03-23 18:31 ` url library and GnuTLS, and Emacs-issued certificates Chong Yidong
2011-03-23 18:47 ` Ted Zlatanov
2011-03-23 19:20 ` Lars Magne Ingebrigtsen
2011-03-23 21:51 ` Chong Yidong
2011-03-24 4:55 ` Lars Magne Ingebrigtsen
2011-03-24 18:42 ` Chong Yidong
2011-03-24 19:45 ` Lars Magne Ingebrigtsen
2011-03-24 19:23 ` Chong Yidong
2011-03-24 19:33 ` Ted Zlatanov
2011-03-24 19:37 ` Lars Magne Ingebrigtsen
2011-03-26 23:32 ` Chong Yidong
2011-03-26 23:39 ` Lars Magne Ingebrigtsen
2011-03-27 1:23 ` Chong Yidong
2011-03-27 10:31 ` Lars Magne Ingebrigtsen
2011-03-27 0:20 ` Lars Magne Ingebrigtsen
2011-03-27 1:30 ` Chong Yidong
2011-03-27 10:36 ` Lars Magne Ingebrigtsen
2011-03-27 17:42 ` Chong Yidong
2011-03-28 0:34 ` Chong Yidong
2011-03-29 20:54 ` Lars Magne Ingebrigtsen
2011-03-30 2:20 ` Chong Yidong
2011-03-26 12:07 ` Ted Zlatanov
2011-03-26 13:39 ` Reiner Steib
2011-03-26 14:09 ` Ted Zlatanov
2011-03-28 6:51 ` Reiner Steib
2011-03-26 19:40 ` Tom Tromey
2011-03-26 23:36 ` Chong Yidong
2011-03-27 1:31 ` Tom Tromey
2011-03-27 1:52 ` Chong Yidong
2011-03-28 15:10 ` Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ei5xsvl6.fsf@lifelogs.com \
--to=tzz@lifelogs.com \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).