Re: NSM certificate prompt

[Eli Zaretskii <eliz@gnu.org>]

> From: Ted Zlatanov <tzz@lifelogs.com>
> Date: Sat, 13 Dec 2014 20:38:20 -0500
> 
> EZ> What would be the reason for the user to remove 'system from the list?
> EZ> If a user is somehow not happy about system trust data, she should
> EZ> customize her system (if she is authorized), not Emacs.  E.g., add a
> EZ> list of blacklisted certificates, remove certificates from the bundle,
> EZ> etc.
> 
> I don't see how it's OK to exclude users who are not authorized to
> customize their systems.  This is a common case.

If she's not authorized, she doesn't necessarily know what she is
doing.  This is security, right?

> Another case is where the system is out of date and you don't have the
> option of updating it, because it's too old or the update server is
> down.

This case means the user should want to _add_ certificates, not remove
the system ones.

> There's also the case that you may not want to use the host OS's trust
> store for your own reasons.  That should not be a struggle.  Emacs is
> not a all-in-one web browser, it's a platform.  Don't take away the
> users' choice of who they trust.

No other browser I know of allows that.

> Furthermore, GnuTLS until recently didn't have this functionality and
> somehow we survived. So it's not essential.

We survived because we do the equivalent by reading gnutls-trustfiles.

> But even if we decide to make 'system the only option

That's not my suggestion.  My suggestion is always to use system trust
(when it's available), and in addition allow the user to customize
gnutls-trustfiles.  The only issue is whether to have 'system' in
gnutls-trustfiles and allow its removal.

> we'd have "if you're running GnuTLS 3.x or older, you'll get this
> behavior, but with 3.y or newer, another behavior."

Yes, and why is that a problem?  Differences in behavior in different
versions exist whether we want it or not.

> I think it's pretty unpleasant behavior to dynamically toggle who
> you trust based on system library versions. So unless we *only*
> support GnuTLS versions that have this functionality, I'm strongly
> against making it the only option when it's available.
> 
> Finally, we have to consider backward compatibility.  Users who have
> customized their trustfiles should not be surprised.  We can put
> warnings in NEWS and blame the users when they don't read them, but I
> think it's much nicer to preserve the users' customizations.

Fine.  I'm going to make this a Windows-only code, and we can then
stop arguing.