From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Lars Magne Ingebrigtsen <larsi@gnus.org>
Newsgroups: gmane.emacs.devel
Subject: Re: Network security manager
Date: Wed, 19 Nov 2014 09:44:49 +0100
Message-ID: <m3sihfmvem.fsf@stories.gnus.org>
References: <m3zjbqouyk.fsf@stories.gnus.org>
	<jwvk32uq67g.fsf-monnier+emacs@gnu.org>
	<85a93pj1n5.fsf@stephe-leake.org> <m3oas5am0b.fsf@stories.gnus.org>
	<CAG-q9=Z7_T1-AYz=pYjvJeg1BM1i9VjYAu76V_pD5F7MpR8a2A@mail.gmail.com>
	<m3bno5igmh.fsf@stories.gnus.org>
	<87sihg7r73.fsf@alrua-karlstad.karlstad.toke.dk>
	<87a93oilxl.fsf@lifelogs.com> <m3h9xw5xyd.fsf@stories.gnus.org>
	<8761ebg6b5.fsf@lifelogs.com>
	<8761eb68z8.fsf@alrua-karlstad.karlstad.toke.dk>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Trace: ger.gmane.org 1416386730 18714 80.91.229.3 (19 Nov 2014 08:45:30 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 19 Nov 2014 08:45:30 +0000 (UTC)
Cc: emacs-devel@gnu.org
To: Toke =?iso-8859-1?Q?H=F8iland-J=F8rgensen?= <toke@toke.dk>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Nov 19 09:45:24 2014
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Xr0tA-0000xQ-10
	for ged-emacs-devel@m.gmane.org; Wed, 19 Nov 2014 09:45:24 +0100
Original-Received: from localhost ([::1]:57002 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Xr0t9-0008CW-Gq
	for ged-emacs-devel@m.gmane.org; Wed, 19 Nov 2014 03:45:23 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33349)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1Xr0t1-0008BP-Er
	for emacs-devel@gnu.org; Wed, 19 Nov 2014 03:45:20 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1Xr0sw-0006kJ-6Y
	for emacs-devel@gnu.org; Wed, 19 Nov 2014 03:45:15 -0500
Original-Received: from hermes.netfonds.no ([80.91.224.195]:38764)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1Xr0sw-0006k8-13
	for emacs-devel@gnu.org; Wed, 19 Nov 2014 03:45:10 -0500
Original-Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58]
	helo=stories.gnus.org)
	by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.72) (envelope-from <larsi@gnus.org>)
	id 1Xr0sb-0005z7-Q3; Wed, 19 Nov 2014 09:44:49 +0100
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEUjBhX59vD8/PwJAQmC
	UFHUvav36dJoJcG2AAACPUlEQVQ4jV2UsZLjIBBE5w588aK6VS7VSjFV2DllDY5tL5DLJfj/T7hG
	QrZvyczTTPc0BlJNj6WEMSSu1hhzKr/7jjYwYMdZD2x08w6+sCHdUirMfS15Ack35QngvIF1v/8w
	xjql2tLs1zv4NpqianP63tUrmCAxF3Dd1TcwQuKgsBLvItRXt8wuZ8+8T7IBmLLMl0U6B3V9fwEh
	OMa4BB/MTyBhNquc/gfDZKCds1KLkUI2L7tWYLycVHs1+hjnFwjWzQBznszxpvLjCT4tR4CchIn4
	Ij6qRj9IGefE+WqOGSvddzAyxRCit+aYUgh+d9V3EFnYOmtOOQfPVaPr+9RyZkbqFzSyVIGCekyX
	NsJszHOy4r6DToXMMYhNW5gdlDjmq0Ycf4qnFRTpXPbbNab4BKt4nksHHOsxFTBV0JVcEdWCTglR
	YsxakVNsIBMtxYSW0e+g95cGZaH0AwhenCv44gKWorwOPv2uoLMP1bZFOEcAaU977MO8ztLCEjK0
	RHdqxjyjBT5PnyEmZBz4SkJSM+Dg5tSGkJML6yImcaytumI/SZSG4AQjswrGtgBdSrwT9AJ5KcBo
	dp7kpMmcSK2dsofPpdweC2DIHDYwBEzHiJckEZWb6LZW6db6IHBO+gfwj8TeOFwfqmBrNboRbsyh
	ArNWrOA2hE/8pSaIbBU6AKh+bP5eKtAbOAA0RcWfcfk1xMvLAeDCZhfqflnfC2lLMwo7cH1Yiqhm
	iyX5CZpe2dXNtvQT9Nsz8gb+ATyq4jQ3pEOOAAAAAElFTkSuQmCC
X-Now-Playing: Lori Carson's _Everything I Touch Runs Wild (1)_: "Something's
	Got Me"
X-Hashcash: 1:23:141119:toke@toke.dk::S2rth+6edk7YosFx:000004Z4Y
X-Hashcash: 1:23:141119:emacs-devel@gnu.org::CEP1X/VFgeDz+e6Y:000000000000000000000000000000000000000000yaQt
In-Reply-To: <8761eb68z8.fsf@alrua-karlstad.karlstad.toke.dk> ("Toke
	\=\?iso-8859-1\?Q\?H\=F8iland-J\=F8rgensen\=22's\?\= message of "Wed,
	19 Nov 2014 06:43:39 +0100")
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)
X-MailScanner-ID: 1Xr0sb-0005z7-Q3
MailScanner-NULL-Check: 1416991491.47911@MwgBQiuVSuzd2OLGHRQ97g
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 80.91.224.195
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:177720
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/177720>

Toke H=F8iland-J=F8rgensen <toke@toke.dk> writes:

> AFAICT this is functionally equivalent to what is currently in NSM;
> except it stores the public key rather than the fingerprint. I am not
> sure if there area any security implications to storing just the
> fingerprint...

You'd hope not.  If there is, that's not a good fingerprint.  >"?

>> * does DANE auth (although I don't know the details on DANE, the
>>   client implementation looks reasonable and Toke suggested it)
>
> I think the right thing to do would probably be to check DANE and use
> that as an additional input to the NSM dialog. I'd suggest the
> following:
>
> - Supply the DANE status as part of the 'certificate information' blurb
>   when popping up a prompt. For many (most?) setups this will be
>   'unknown' either because no DANE info is published in DNS or DNSSEC
>   validation fails (or both).
>
> - If valid DANE info is available *and* this doesn't match the shown
>   certificate, treat it as a reason to consider the certificate
>   insecure.
>
> I.e. treat a positive DANE verification as information to present to the
> user, and a verified failure as a cause for alarm. This corresponds to
> the current DANE RFC recommendations AFAICT...
>
>> * checks OCSP for revocations using cert_verify_ocsp() in the same
>> cli.c

DANE and especially revocation checking is kinda slow though?  Which is
why Chrome doesn't do it.

--=20
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no