From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Jason Rumney <jasonr@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: Default value of tls-checktrust should be 'ask
Date: Tue, 08 Apr 2008 10:19:51 +0100
Message-ID: <47FB38B7.70806@gnu.org>
References: <m2y77ok979.fsf@kenny.sha-bang.de>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1207646425 9103 80.91.229.12 (8 Apr 2008 09:20:25 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 8 Apr 2008 09:20:25 +0000 (UTC)
Cc: emacs-devel@gnu.org
To: Sascha Wilde <wilde@sha-bang.de>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Apr 08 11:20:57 2008
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1JjA0e-00011y-Gi
	for ged-emacs-devel@m.gmane.org; Tue, 08 Apr 2008 11:20:56 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1JjA00-0004eW-Ng
	for ged-emacs-devel@m.gmane.org; Tue, 08 Apr 2008 05:20:16 -0400
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Jj9zt-0004e5-Cq
	for emacs-devel@gnu.org; Tue, 08 Apr 2008 05:20:09 -0400
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1Jj9zr-0004dc-EN
	for emacs-devel@gnu.org; Tue, 08 Apr 2008 05:20:08 -0400
Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Jj9zr-0004dW-5u
	for emacs-devel@gnu.org; Tue, 08 Apr 2008 05:20:07 -0400
Original-Received: from mk-outboundfilter-4.mail.uk.tiscali.com ([212.74.114.32])
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <jasonr@gnu.org>) id 1Jj9zr-0000lc-2p
	for emacs-devel@gnu.org; Tue, 08 Apr 2008 05:20:07 -0400
Original-X-Trace: 54215202/mk-outboundfilter-2.mail.uk.tiscali.com/F2S/$ACCEPTED/freedom2Surf-customers/83.67.23.108
X-SBRS: None
X-RemoteIP: 83.67.23.108
X-IP-MAIL-FROM: jasonr@gnu.org
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqIEACfV+kdTQxds/2dsb2JhbACBXKlz
X-IP-Direction: IN
Original-Received: from i-83-67-23-108.freedom2surf.net (HELO wanchan.jasonrumney.net)
	([83.67.23.108])
	by smtp.f2s.tiscali.co.uk with ESMTP; 08 Apr 2008 10:20:05 +0100
Original-Received: from [192.168.249.27] (chiko.jasonrumney.net [192.168.249.27])
	by wanchan.jasonrumney.net (Postfix) with ESMTP id 213B737;
	Tue,  8 Apr 2008 10:20:09 +0100 (BST)
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
In-Reply-To: <m2y77ok979.fsf@kenny.sha-bang.de>
X-Enigmail-Version: 0.95.6
OpenPGP: id=8086879D
X-detected-kernel: by monty-python.gnu.org: Genre and OS details not
	recognized.
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:94683
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/94683>

Sascha Wilde wrote:

> the subject says it all.  ;-)
>
> The current default is nil, which means that server certificates are not
> checked which is a bad thing.  Not checking the certificate means, that
> SSL/TLS connections, which are supposed to be "save" (and most users
> will believe they are) are really not trustworthy.
>   

We should also provide an easy way to insert the certificate into a 
local trust store (ie 'ask will allow "always" and "never" as well as 
"yes" and "no" answers) , to give the power over who to trust back to 
the users, rather than allowing companies like Verisign to monopolise 
it. Does gnutls have a local per user store we can use for this?