From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Lars Magne Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking. Date: Wed, 08 Oct 2014 14:18:27 +0200 Message-ID: References: <1412716565-7786-1-git-send-email-toke@toke.dk> <87a957o87z.fsf@alrua-karlstad.karlstad.toke.dk> <87bnpm2249.fsf@toke.dk> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1412770751 17808 80.91.229.3 (8 Oct 2014 12:19:11 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 8 Oct 2014 12:19:11 +0000 (UTC) Cc: Ted Zlatanov , emacs-devel@gnu.org To: Toke =?iso-8859-1?Q?H=F8iland-J=F8rgensen?= Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Oct 08 14:19:03 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XbqCt-0000lL-1k for ged-emacs-devel@m.gmane.org; Wed, 08 Oct 2014 14:19:03 +0200 Original-Received: from localhost ([::1]:35890 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XbqCs-0001aE-Dn for ged-emacs-devel@m.gmane.org; Wed, 08 Oct 2014 08:19:02 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:39855) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XbqCj-0001ZU-Jc for emacs-devel@gnu.org; Wed, 08 Oct 2014 08:18:58 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XbqCe-0006xK-CQ for emacs-devel@gnu.org; Wed, 08 Oct 2014 08:18:53 -0400 Original-Received: from hermes.netfonds.no ([80.91.224.195]:47666) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XbqCe-0006wt-5m for emacs-devel@gnu.org; Wed, 08 Oct 2014 08:18:48 -0400 Original-Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=stories.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1XbqCJ-0000aE-HE; Wed, 08 Oct 2014 14:18:27 +0200 Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAGFBMVEWjFCbe0y2DUyo0BAr/ /xz//x/+/h3//x0YBdY8AAACW0lEQVQ4jW2UwW7jIBCGqf0CwbG9VxvanGNG6t0SC2dLS3MNrZOe I2Hz+jsDTrupFuQo4tP8/8x4MNP/WTGeHEv/5kdgY1wSeB9+nmcwAjw/KmVg5COw9wgM+BdY5xCQ +Z4BqG+wOCQLgd0jQAtiCDyCg25/IPJgJTzvof4GIRc4MgYCINdidaA6XAaQ1oEagIck5ZYNlAjU qGZrQwyU8QaOKUjCa7D2FLVd7lJHluUG8kCweXSqY8cyARtQi7wJ/ObiSACDhhgDgSRl+kUohlpY DoL4FbGHhlO7EnhrnTvROQLZqYZ3G5DQuJPLgH/A68TZkQBV8xm3CH0+FgdesQ3AgM73lqAArxQC QoPbpHT0BQjHBStzmc1lA3qtFPBesjI3QAx3YE2l5BPvyq7EOhXASwam1aNUwlVix9BHfgFfX/VZ QD+hTXZR1YVa0o74vncguBOUVUKDY4Zrjo8pMOemKzegHPOzn8fZx6ss+wvvGBCEg2NXj+MxtmbZ Pcl+wgZ05NMkKW1QLI476JdKDpJSQ8BxNPzMZ699EapGVHRO5nh+m009tuvpEmXvMlC5QNwkFleA dhI0MgiC5nPanz6uhcSXJliSCphtPda+8b9u4bKXh75Crd4xLNuQ2IqPvmAD1CRKhVl5S7fWoBRm ZqcKa+OixybGPPn+81bfarPcipc3Iai7QQeKQam03fnAZZNASBGGW8qM2/WdGuK2L0PQqZe1r2Oc Cp5e7Z9Exja2ejVttNb5JYFsznH0Q+RpcGMen7B9ZXCa8Tcs+TLnrPC24CVaTjHeT3H9Be2BHSj5 dHczAAAAAElFTkSuQmCC X-Now-Playing: Telex's _I (Still) Don't Like Music: Remixes, Volume 2_: "Brainwash (Juan Atkins mix)" X-Hashcash: 1:23:141008:toke@toke.dk::IdPn9zmCpgTPvv/k:000005TxX X-Hashcash: 1:23:141008:emacs-devel@gnu.org::7qnufoRIyLb5Walo:000000000000000000000000000000000000000000SYnu In-Reply-To: <87bnpm2249.fsf@toke.dk> ("Toke \=\?iso-8859-1\?Q\?H\=F8iland-J\=F8\?\= \=\?iso-8859-1\?Q\?rgensen\=22's\?\= message of "Wed, 08 Oct 2014 14:10:46 +0200") User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.50 (gnu/linux) X-MailScanner-ID: 1XbqCJ-0000aE-HE MailScanner-NULL-Check: 1413375507.63653@xsOGipRhF1W7tfzR6ptQBA X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.224.195 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:175114 Archived-At: Toke H=F8iland-J=F8rgensen writes: > Right, so (just to make sure I'm understanding you right), what you > propose is to get rid of all the current validation logic in C (i.e the > erroring out) and just return something like ( hostname> ) -- and then make the lisp code work out > the rest? Yup, I think that would be more flexible. I think it would also be nice if the entire cert was also returned (in a convenient format), so that Emacs can display the pertinent parts while querying the user about what action to take. Like "signed by CA foo on date baz for host zot" and so on. And perhaps display graphically the fingerprint like ssh does? I have no idea what's involved there, so I don't know whether that would be possible (or easy)... > Right now it seems the C code refuses to even return the opened network > stream object if validation fails; with this, that would have to change, > and the C code wouldn't make any policy decisions? Yup. But perhaps Ted (or other people) have opinions here. >"? --=20 (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no