From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking.
Date: Wed, 08 Oct 2014 16:38:10 +0300
Message-ID: <838ukqk7gd.fsf@gnu.org>
References: <1412716565-7786-1-git-send-email-toke@toke.dk>
	<m3iojv4l87.fsf@stories.gnus.org>
	<87a957o87z.fsf@alrua-karlstad.karlstad.toke.dk>
	<m3ppe222ww.fsf@stories.gnus.org> <87bnpm2249.fsf@toke.dk>
	<m3zjd6zre4.fsf@stories.gnus.org> <83eguik9ip.fsf@gnu.org>
	<m3a956zpmd.fsf@stories.gnus.org> <83d2a2k91n.fsf@gnu.org>
	<m338ayzp5f.fsf@stories.gnus.org> <83bnpmk8fd.fsf@gnu.org>
	<m3y4sqy9pk.fsf@stories.gnus.org>
Reply-To: Eli Zaretskii <eliz@gnu.org>
NNTP-Posting-Host: plane.gmane.org
X-Trace: ger.gmane.org 1412775514 19500 80.91.229.3 (8 Oct 2014 13:38:34 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 8 Oct 2014 13:38:34 +0000 (UTC)
Cc: tzz@lifelogs.com, toke@toke.dk, emacs-devel@gnu.org
To: Lars Magne Ingebrigtsen <larsi@gnus.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Oct 08 15:38:24 2014
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1XbrRg-0000Yw-8a
	for ged-emacs-devel@m.gmane.org; Wed, 08 Oct 2014 15:38:24 +0200
Original-Received: from localhost ([::1]:36301 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1XbrRf-000658-UZ
	for ged-emacs-devel@m.gmane.org; Wed, 08 Oct 2014 09:38:23 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:60000)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1XbrRM-00064m-GK
	for emacs-devel@gnu.org; Wed, 08 Oct 2014 09:38:09 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1XbrRH-0001Et-Hk
	for emacs-devel@gnu.org; Wed, 08 Oct 2014 09:38:04 -0400
Original-Received: from mtaout27.012.net.il ([80.179.55.183]:36123)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@gnu.org>)
	id 1XbrRH-0001En-4Q
	for emacs-devel@gnu.org; Wed, 08 Oct 2014 09:37:59 -0400
Original-Received: from conversion-daemon.mtaout27.012.net.il by mtaout27.012.net.il
	(HyperSendmail v2007.08) id
	<0ND400100O2SLX00@mtaout27.012.net.il> for emacs-devel@gnu.org;
	Wed, 08 Oct 2014 16:32:39 +0300 (IDT)
Original-Received: from HOME-C4E4A596F7 ([87.69.4.28]) by mtaout27.012.net.il
	(HyperSendmail v2007.08) with ESMTPA id
	<0ND400JFROAF4E70@mtaout27.012.net.il>;
	Wed, 08 Oct 2014 16:32:39 +0300 (IDT)
In-reply-to: <m3y4sqy9pk.fsf@stories.gnus.org>
X-012-Sender: halo1@inter.net.il
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 80.179.55.183
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:175129
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/175129>

> From: Lars Magne Ingebrigtsen <larsi@gnus.org>
> Cc: toke@toke.dk,  tzz@lifelogs.com,  emacs-devel@gnu.org
> Date: Wed, 08 Oct 2014 15:25:43 +0200
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > So you want to return a descriptor for a connection that failed
> > certificate validation, and let the application handle that?
> 
> The other option is to have the C layer close the connection, signal an
> error, have `open-network-stream' query the user about the invalid
> certificate, the user says "connect anyway", and then we'd reconnect
> with other options.
> 
> That seems less ... convenient.
> 
> > That could work, but I don't know what security-wary people here will
> > tell about keeping such connections.
> 
> I think I know.  >"?

What happens if some stuff comes out of the stream that failed to be
validated, while Emacs negotiates with the user about what to do?
Normally, we would pass this stuff to whatever sentinel was defined,
or insert it into a buffer.  Is that what you want?

> We're just moving the certificate handling up to the Lisp level --
> nothing more.

If what you want is to cause gnutls-boot call out to Lisp for
validation as part of its normal path, then that's fine, I think.  But
it does mean that we have no stream until the entire validation
completes.  My understanding of what was being suggested here was that
this is not what you have in mind:

> Right, so (just to make sure I'm understanding you right), what you
> propose is to get rid of all the current validation logic in C (i.e the
> erroring out) and just return something like (<cert hash> <cert
> hostname> <CA validity status>) -- and then make the lisp code work out
> the rest?
> 
> Right now it seems the C code refuses to even return the opened network
> stream object if validation fails; with this, that would have to change,
> and the C code wouldn't make any policy decisions?

That doesn't sound to me like "just moving the certificate handling up
to the Lisp level".