From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Jimmy Yuen Ho Wong <wyuenho@gmail.com>
Newsgroups: gmane.emacs.devel
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Thu, 5 Jul 2018 17:51:27 +0100
Message-ID: <CAKDRQS7SLjupnekezk59Fu5pD+CdjQbK6jSHgoZAFDBMuV8=4Q@mail.gmail.com>
References: <m236xe5vo2.fsf@mobilecat.lan>
	<eba313cf-104d-50dd-f1cd-4acb15864c0f@cs.ucla.edu>
	<CAM-tV--kcS34bGfMdDNziFp9S8LE5fjeT0V6n-QfM7Gnkde+rA@mail.gmail.com>
	<83po0iuhs7.fsf@gnu.org>
	<CAM-tV--iwqEJgQgijY4f_7uecXUGPLPPdU1-6mPh5DGAzu1Lpg@mail.gmail.com>
	<83lgb4tg92.fsf@gnu.org> <m3lgb4fe2e.fsf@gnus.org>
	<m3muvjaoln.fsf@gnus.org>
	<83efgusvdw.fsf@gnu.org> <m3a7riu7ph.fsf@gnus.org>
	<CAKDRQS4O66eQR8KDS2VwDLqUCrEktOD=CTCVayAHQZm1YxKG-w@mail.gmail.com>
	<m3po0esrcy.fsf@gnus.org>
	<20180705115259.4032dbea@jabberwock.cb.piermont.com>
	<CAKDRQS5UanSfxDsDBN_VYPYVir1ipwWFueeWdUvZ+bVWsyv7gA@mail.gmail.com>
	<20180705123610.0d063564@jabberwock.cb.piermont.com>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: blaine.gmane.org 1530809623 13081 195.159.176.226 (5 Jul 2018 16:53:43 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Thu, 5 Jul 2018 16:53:43 +0000 (UTC)
Cc: Lars Ingebrigtsen <larsi@gnus.org>, Paul Eggert <eggert@cs.ucla.edu>,
	Emacs-Devel devel <emacs-devel@gnu.org>, Eli Zaretskii <eliz@gnu.org>,
	Noam Postavsky <npostavs@gmail.com>
To: "Perry E. Metzger" <perry@piermont.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Jul 05 18:53:38 2018
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fb7Vg-0003EL-2C
	for ged-emacs-devel@m.gmane.org; Thu, 05 Jul 2018 18:53:36 +0200
Original-Received: from localhost ([::1]:53861 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fb7Xn-0006Pa-42
	for ged-emacs-devel@m.gmane.org; Thu, 05 Jul 2018 12:55:47 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:40634)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <wyuenho@gmail.com>) id 1fb7Tz-0003dn-Jv
	for emacs-devel@gnu.org; Thu, 05 Jul 2018 12:51:52 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <wyuenho@gmail.com>) id 1fb7Ty-0001gs-LS
	for emacs-devel@gnu.org; Thu, 05 Jul 2018 12:51:51 -0400
Original-Received: from mail-it0-x22e.google.com ([2607:f8b0:4001:c0b::22e]:54986)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <wyuenho@gmail.com>)
	id 1fb7Tx-0001f4-1T; Thu, 05 Jul 2018 12:51:49 -0400
Original-Received: by mail-it0-x22e.google.com with SMTP id s7-v6so12861109itb.4;
	Thu, 05 Jul 2018 09:51:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc; bh=/vnuzmXBhpMa/oqrarfyetKtnw8XvlHuxfkdNRNcSxc=;
	b=JTdTDA5Hveh1+fraitAGVMiwbDBPxfzptUI5aS4CVpsq5g5N4vw1S7QJQjB8LWnewB
	3AmsC86nsm+zq23zAqbwlg4FXSxSUexqquTnRGUFGxqjogVL/ia6KWgnH/1C2F5nFx6u
	GBGdY5s1nLHRwmAMShjMYmn0jCcbbUTjgjViOMleOO7VUXkUUIIJfCH8VvaEsTRenY84
	kPwI8RuwTYurNsi3q2v+SOgpXYhlhYPaKm9WGVyybJ8KCha76eCsFbmzw5fDadVHpJsk
	qbey/zzKAuoQOc8oYcUe8E6jOvIzt+UhI2paKQ6PuqXeSuApeufPR0anDS2hADZFXsJc
	C85A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc;
	bh=/vnuzmXBhpMa/oqrarfyetKtnw8XvlHuxfkdNRNcSxc=;
	b=mNlG6LlfGyouAp5ElIAMytwpyaEGGmaHbNtcqcwdQQFZZfJT0ffWjubmKRmZOSxod/
	biK5PCju+FSK1B3zqPVoS9TuVx+8Vy85muNRG7Fo8DJOEElOiUrIf/k6JiRdjqH6Yy7w
	YacDPN6G1ahhDza6aP7hv5+ibMkm6AiQMgPoWYaMwqOmN3XKuwvikrBDe1PevJ6INc7R
	wWmDHVmL4ZYxJrVgjfM/Jvn78v3RwxcfN4QH1KzYGVHqRJSyDWUznKdg3AfuTuiCA0N7
	mjhXPf6riWDRIF+JNaAObPRfvQ+z+ZBDRPXntwy40NyIS7PnR4T0+g3H9XgYn3jgIycJ
	KW2g==
X-Gm-Message-State: APt69E3iNNBVOA+c3/szxsxdPs0Dn60QOQHrg14eMN4j4+zbrfB8DUxb
	NFV07N31XQn7BITGALjVB8E1w/a5RWKUIR/M+Fo=
X-Google-Smtp-Source: AAOMgpdD4OZmV7aiGQxkFrujsuv1g2g2m+PdXr0UCqaxoeyDM35JMV67X5Q7a0xmlwf47mm4ahTRE90EmyC4Ho+0Eus=
X-Received: by 2002:a02:7610:: with SMTP id
	z16-v6mr5673335jab.145.1530809508258; 
	Thu, 05 Jul 2018 09:51:48 -0700 (PDT)
Original-Received: by 2002:a02:985d:0:0:0:0:0 with HTTP;
	Thu, 5 Jul 2018 09:51:27 -0700 (PDT)
In-Reply-To: <20180705123610.0d063564@jabberwock.cb.piermont.com>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2607:f8b0:4001:c0b::22e
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:226964
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/226964>

>
> We are best off doing what the browser vendors are doing (Chrome,
> Firefox, and Safari generally being good exemplars.)
>

AFAIK, NSM is trying to do exactly that. Lars has set up a good structure here.

>
> Not having CT is a problem. Certificate forgery in the field is
> becoming a serious issue. Just a couple of days ago I was informed
> that the WiFi on Turkish airliners now intercepts your TLS
> traffic with the use of faked up certs. It's becoming so common in
> various countries that we simply need it. If GnuTLS won't do it, then
> we use something else that provides it.
>

There's a CT ticket[1] for GnuTLS. It's not coming any time soon tho,
so OCSP will have to do for now. Although, I'm pretty sure you can
extract the raw DER bytes and parse the SCT extension in
LISP using some bit manipulation magic (I don't even want to think
about it now.... feel free to pick it up).

[1]: https://gitlab.com/gnutls/gnutls/issues/232
[2]: https://www.gnutls.org/manual/gnutls.html#X_002e509-extensions