From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Jason Rumney Newsgroups: gmane.emacs.devel Subject: Re: Default value of tls-checktrust should be 'ask Date: Tue, 08 Apr 2008 12:08:09 +0100 Message-ID: <47FB5219.60903@gnu.org> References: <47FB38B7.70806@gnu.org> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1207652920 31082 80.91.229.12 (8 Apr 2008 11:08:40 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 8 Apr 2008 11:08:40 +0000 (UTC) Cc: emacs-devel@gnu.org To: Sascha Wilde Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Apr 08 13:09:13 2008 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1JjBhP-0006tI-PE for ged-emacs-devel@m.gmane.org; Tue, 08 Apr 2008 13:09:12 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1JjBgm-0001ZP-Cx for ged-emacs-devel@m.gmane.org; Tue, 08 Apr 2008 07:08:32 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1JjBgh-0001WL-3X for emacs-devel@gnu.org; Tue, 08 Apr 2008 07:08:27 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1JjBgf-0001Tl-Se for emacs-devel@gnu.org; Tue, 08 Apr 2008 07:08:26 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1JjBgf-0001TS-OX for emacs-devel@gnu.org; Tue, 08 Apr 2008 07:08:25 -0400 Original-Received: from mk-outboundfilter-5-a-2.mail.uk.tiscali.com ([212.74.114.4]) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1JjBgf-0008HF-DG for emacs-devel@gnu.org; Tue, 08 Apr 2008 07:08:25 -0400 Original-X-Trace: 1457277/mk-outboundfilter-5.mail.uk.tiscali.com/F2S/$ACCEPTED/freedom2Surf-customers/83.67.23.108 X-SBRS: None X-RemoteIP: 83.67.23.108 X-IP-MAIL-FROM: jasonr@gnu.org X-IP-BHB: Once X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqIEAGbv+kdTQxds/2dsb2JhbACBXKo0 X-IP-Direction: IN Original-Received: from i-83-67-23-108.freedom2surf.net (HELO wanchan.jasonrumney.net) ([83.67.23.108]) by smtp.f2s.tiscali.co.uk with ESMTP; 08 Apr 2008 12:08:24 +0100 Original-Received: from [192.168.249.27] (chiko.jasonrumney.net [192.168.249.27]) by wanchan.jasonrumney.net (Postfix) with ESMTP id 07E741C8; Tue, 8 Apr 2008 12:08:27 +0100 (BST) User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) In-Reply-To: X-Enigmail-Version: 0.95.6 OpenPGP: id=8086879D X-detected-kernel: by monty-python.gnu.org: Genre and OS details not recognized. X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:94692 Archived-At: Sascha Wilde wrote: > Jason Rumney wrote: > >> We should also provide an easy way to insert the certificate into a >> local trust store (ie 'ask will allow "always" and "never" as well as >> "yes" and "no" answers) , to give the power over who to trust back to >> the users, rather than allowing companies like Verisign to monopolise >> it. Does gnutls have a local per user store we can use for this? >> > > No need for this, you can always add (or remove) any CAs root > certificate, see tls-checktrust docstring for examples on how to > configure a specific root-cert collection. (and of cause the > documentation for gnutls for further details.) > How does the docstring of tls-checktrust solve the problem? There is no convenient UI for trusting individual server certificates, independantly of the CA that issued them (many servers I use have self-signed certificates). Telling the user to sort out their configuration outside of Emacs is not an acceptable substitute. Emacs users should not have to become experts in gnutls configuration merely to use an SSL enabled mail server.