From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Lars Magne Ingebrigtsen <larsi@gnus.org>
Newsgroups: gmane.emacs.devel
Subject: Re: Network security manager
Date: Wed, 19 Nov 2014 12:19:46 +0100
Message-ID: <m3y4r7jv3h.fsf@stories.gnus.org>
References: <m3zjbqouyk.fsf@stories.gnus.org>
	<jwvk32uq67g.fsf-monnier+emacs@gnu.org>
	<85a93pj1n5.fsf@stephe-leake.org> <m3oas5am0b.fsf@stories.gnus.org>
	<CAG-q9=Z7_T1-AYz=pYjvJeg1BM1i9VjYAu76V_pD5F7MpR8a2A@mail.gmail.com>
	<m3bno5igmh.fsf@stories.gnus.org>
	<87sihg7r73.fsf@alrua-karlstad.karlstad.toke.dk>
	<87a93oilxl.fsf@lifelogs.com> <m3h9xw5xyd.fsf@stories.gnus.org>
	<8761ebg6b5.fsf@lifelogs.com>
	<8761eb68z8.fsf@alrua-karlstad.karlstad.toke.dk>
	<87vbmbe9b8.fsf@lifelogs.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1416396066 9568 80.91.229.3 (19 Nov 2014 11:21:06 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 19 Nov 2014 11:21:06 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Nov 19 12:20:58 2014
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Xr3Jg-00063d-3M
	for ged-emacs-devel@m.gmane.org; Wed, 19 Nov 2014 12:20:56 +0100
Original-Received: from localhost ([::1]:57555 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Xr3Jf-0004sr-Lo
	for ged-emacs-devel@m.gmane.org; Wed, 19 Nov 2014 06:20:55 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:38090)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1Xr3J8-0004sY-Q6
	for emacs-devel@gnu.org; Wed, 19 Nov 2014 06:20:28 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1Xr3J3-00019o-Ey
	for emacs-devel@gnu.org; Wed, 19 Nov 2014 06:20:22 -0500
Original-Received: from hermes.netfonds.no ([80.91.224.195]:55707)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1Xr3J2-00019k-Qs
	for emacs-devel@gnu.org; Wed, 19 Nov 2014 06:20:17 -0500
Original-Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58]
	helo=stories.gnus.org)
	by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.72) (envelope-from <larsi@gnus.org>) id 1Xr3IZ-0001MS-AB
	for emacs-devel@gnu.org; Wed, 19 Nov 2014 12:19:47 +0100
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEUjBhX59vD8/PwJAQmC
	UFHUvav36dJoJcG2AAACPUlEQVQ4jV2UsZLjIBBE5w588aK6VS7VSjFV2DllDY5tL5DLJfj/T7hG
	QrZvyczTTPc0BlJNj6WEMSSu1hhzKr/7jjYwYMdZD2x08w6+sCHdUirMfS15Ack35QngvIF1v/8w
	xjql2tLs1zv4NpqianP63tUrmCAxF3Dd1TcwQuKgsBLvItRXt8wuZ8+8T7IBmLLMl0U6B3V9fwEh
	OMa4BB/MTyBhNquc/gfDZKCds1KLkUI2L7tWYLycVHs1+hjnFwjWzQBznszxpvLjCT4tR4CchIn4
	Ij6qRj9IGefE+WqOGSvddzAyxRCit+aYUgh+d9V3EFnYOmtOOQfPVaPr+9RyZkbqFzSyVIGCekyX
	NsJszHOy4r6DToXMMYhNW5gdlDjmq0Ycf4qnFRTpXPbbNab4BKt4nksHHOsxFTBV0JVcEdWCTglR
	YsxakVNsIBMtxYSW0e+g95cGZaH0AwhenCv44gKWorwOPv2uoLMP1bZFOEcAaU977MO8ztLCEjK0
	RHdqxjyjBT5PnyEmZBz4SkJSM+Dg5tSGkJML6yImcaytumI/SZSG4AQjswrGtgBdSrwT9AJ5KcBo
	dp7kpMmcSK2dsofPpdweC2DIHDYwBEzHiJckEZWb6LZW6db6IHBO+gfwj8TeOFwfqmBrNboRbsyh
	ArNWrOA2hE/8pSaIbBU6AKh+bP5eKtAbOAA0RcWfcfk1xMvLAeDCZhfqflnfC2lLMwo7cH1Yiqhm
	iyX5CZpe2dXNtvQT9Nsz8gb+ATyq4jQ3pEOOAAAAAElFTkSuQmCC
X-Now-Playing: Lori Carson's _Everything I Touch Runs Wild (1)_: "Something's
	Got Me"
X-Hashcash: 1:23:141119:emacs-devel@gnu.org::c73Hir5kjEUe9uPV:0000000000000000000000000000000000000000002854
In-Reply-To: <87vbmbe9b8.fsf@lifelogs.com> (Ted Zlatanov's message of "Wed, 19
	Nov 2014 06:09:15 -0500")
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)
X-MailScanner-ID: 1Xr3IZ-0001MS-AB
MailScanner-NULL-Check: 1417000788.33519@nr71vuxKZL4yOTDsX06Yxg
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 80.91.224.195
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:177733
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/177733>

Ted Zlatanov <tzz@lifelogs.com> writes:

> I am not a cryptographer so I hope some of those step in and suggest
> what's best. To me from what I know and based on the cited references,
> it seems it could be a choice but pinning the public key is better for
> most people. They won't have to accept again every time the certificate
> is reissued.

Hm...  might one not want to track the certificate, though?  If it's
changed, then there might be shenanigans.

But if the attacker can generate traffic with the trusted public key,
the site would have larger problems than with the certificate, so
perhaps it doesn't add anything much security-wise...

> Also, we're hashing the SubjectPublicKeyInfo not the public key bit
> string. The SPKI includes the type of the public key and some parameters
> along with the public key itself.

Does gnutls have a function to fingerprint that info?  Or access it in
raw form?  I guess we could just sha1 it ourselves.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no