From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Lars Magne Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: Network security manager Date: Wed, 19 Nov 2014 09:46:12 +0100 Message-ID: References: <85a93pj1n5.fsf@stephe-leake.org> <87sihg7r73.fsf@alrua-karlstad.karlstad.toke.dk> <87a93oilxl.fsf@lifelogs.com> <8761ebg6b5.fsf@lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1416386825 19985 80.91.229.3 (19 Nov 2014 08:47:05 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 19 Nov 2014 08:47:05 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Nov 19 09:46:56 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Xr0ud-0001WW-Nn for ged-emacs-devel@m.gmane.org; Wed, 19 Nov 2014 09:46:55 +0100 Original-Received: from localhost ([::1]:57006 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xr0ud-0000Bl-5O for ged-emacs-devel@m.gmane.org; Wed, 19 Nov 2014 03:46:55 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33839) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xr0uL-0000Bg-GW for emacs-devel@gnu.org; Wed, 19 Nov 2014 03:46:42 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xr0uG-0007Qu-Js for emacs-devel@gnu.org; Wed, 19 Nov 2014 03:46:37 -0500 Original-Received: from hermes.netfonds.no ([80.91.224.195]:58807) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xr0uG-0007Qp-Co for emacs-devel@gnu.org; Wed, 19 Nov 2014 03:46:32 -0500 Original-Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=stories.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1Xr0tw-00061t-Ga for emacs-devel@gnu.org; Wed, 19 Nov 2014 09:46:12 +0100 Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEUjBhX59vD8/PwJAQmC UFHUvav36dJoJcG2AAACPUlEQVQ4jV2UsZLjIBBE5w588aK6VS7VSjFV2DllDY5tL5DLJfj/T7hG QrZvyczTTPc0BlJNj6WEMSSu1hhzKr/7jjYwYMdZD2x08w6+sCHdUirMfS15Ack35QngvIF1v/8w xjql2tLs1zv4NpqianP63tUrmCAxF3Dd1TcwQuKgsBLvItRXt8wuZ8+8T7IBmLLMl0U6B3V9fwEh OMa4BB/MTyBhNquc/gfDZKCds1KLkUI2L7tWYLycVHs1+hjnFwjWzQBznszxpvLjCT4tR4CchIn4 Ij6qRj9IGefE+WqOGSvddzAyxRCit+aYUgh+d9V3EFnYOmtOOQfPVaPr+9RyZkbqFzSyVIGCekyX NsJszHOy4r6DToXMMYhNW5gdlDjmq0Ycf4qnFRTpXPbbNab4BKt4nksHHOsxFTBV0JVcEdWCTglR YsxakVNsIBMtxYSW0e+g95cGZaH0AwhenCv44gKWorwOPv2uoLMP1bZFOEcAaU977MO8ztLCEjK0 RHdqxjyjBT5PnyEmZBz4SkJSM+Dg5tSGkJML6yImcaytumI/SZSG4AQjswrGtgBdSrwT9AJ5KcBo dp7kpMmcSK2dsofPpdweC2DIHDYwBEzHiJckEZWb6LZW6db6IHBO+gfwj8TeOFwfqmBrNboRbsyh ArNWrOA2hE/8pSaIbBU6AKh+bP5eKtAbOAA0RcWfcfk1xMvLAeDCZhfqflnfC2lLMwo7cH1Yiqhm iyX5CZpe2dXNtvQT9Nsz8gb+ATyq4jQ3pEOOAAAAAElFTkSuQmCC X-Now-Playing: Lori Carson's _Everything I Touch Runs Wild (1)_: "Something's Got Me" X-Hashcash: 1:23:141119:emacs-devel@gnu.org::7aCSPJ+yyo6P6NEQ:000000000000000000000000000000000000000001w2th In-Reply-To: <8761ebg6b5.fsf@lifelogs.com> (Ted Zlatanov's message of "Tue, 18 Nov 2014 23:31:10 -0500") User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) X-MailScanner-ID: 1Xr0tw-00061t-Ga MailScanner-NULL-Check: 1416991572.89387@c74biMkhrLC3oXg27a/Mzg X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.224.195 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:177721 Archived-At: Ted Zlatanov writes: > What do you think about the verification and TOFU implementation in > gnutls-cli? Please see > https://gitorious.org/gnutls/gnutls/raw/master:src/cli.c inside > cert_verify_callback() for the details. > > * uses SSH-style gnutls_store_pubkey() and gnutls_verify_stored_pubkey() > to DTRT and pins the public key rather than the certificate > fingerprint. The pub keys are stored by default in a way that lets the > user look them up by hostname, but we can customize that. And it's > mostly handled by GnuTLS internals as far as pubkey extraction and > verification. > > * does DANE auth (although I don't know the details on DANE, the > client implementation looks reasonable and Toke suggested it) > > * checks OCSP for revocations using cert_verify_ocsp() in the same cli.c So gnutls proper doesn't do this? We'd have to implement it ourselves if we want it... (I mean, copy chunks of their code. >"?) Can we do DANE and OCSP from Emacs Lisp? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no