From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: NSM certificate prompt
Date: Sat, 13 Dec 2014 20:01:59 +0200
Message-ID: <83y4qb4eeg.fsf@gnu.org>
References: <83a92r625n.fsf@gnu.org> <87wq5vefiz.fsf@gmx.de>
	<83388j5wrs.fsf@gnu.org> <87mw6reaxu.fsf@gmx.de>
Reply-To: Eli Zaretskii <eliz@gnu.org>
NNTP-Posting-Host: plane.gmane.org
X-Trace: ger.gmane.org 1418493766 9207 80.91.229.3 (13 Dec 2014 18:02:46 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 13 Dec 2014 18:02:46 +0000 (UTC)
Cc: emacs-devel@gnu.org
To: Michael Albinus <michael.albinus@gmx.de>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Dec 13 19:02:33 2014
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Xzr1V-00034V-D0
	for ged-emacs-devel@m.gmane.org; Sat, 13 Dec 2014 19:02:33 +0100
Original-Received: from localhost ([::1]:33915 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Xzr1U-0004Bp-Gy
	for ged-emacs-devel@m.gmane.org; Sat, 13 Dec 2014 13:02:32 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46560)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1Xzr1D-0004Bc-OJ
	for emacs-devel@gnu.org; Sat, 13 Dec 2014 13:02:20 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1Xzr18-0003bb-B1
	for emacs-devel@gnu.org; Sat, 13 Dec 2014 13:02:15 -0500
Original-Received: from mtaout28.012.net.il ([80.179.55.184]:42499)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@gnu.org>)
	id 1Xzr18-0003bV-3j
	for emacs-devel@gnu.org; Sat, 13 Dec 2014 13:02:10 -0500
Original-Received: from conversion-daemon.mtaout28.012.net.il by mtaout28.012.net.il
	(HyperSendmail v2007.08) id
	<0NGJ004008A9QJ00@mtaout28.012.net.il> for emacs-devel@gnu.org;
	Sat, 13 Dec 2014 19:59:49 +0200 (IST)
Original-Received: from HOME-C4E4A596F7 ([87.69.4.28]) by mtaout28.012.net.il
	(HyperSendmail v2007.08) with ESMTPA id
	<0NGJ00LJ58NPCS80@mtaout28.012.net.il>;
	Sat, 13 Dec 2014 19:59:49 +0200 (IST)
In-reply-to: <87mw6reaxu.fsf@gmx.de>
X-012-Sender: halo1@inter.net.il
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 80.179.55.184
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:180025
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/180025>

> From: Michael Albinus <michael.albinus@gmx.de>
> Date: Sat, 13 Dec 2014 18:06:37 +0100
> Cc: emacs-devel@gnu.org
> 
> In order not to create an infinite chain, there are so-called Root CAs,
> which are "known by default". If any chain ends in such a root
> certificate, you know that the initial certificate is true.
> 
> The problem is to distribute and maintain such root
> certificates. Browsers have them built-in, but I don't believe Emacs
> (eww) shall do so.

GnuTLS on Windows uses the CertEnumCertificatesInStore API to retrieve
all the Root and Certification Authority certificates known to the
system.  I suppose at least IE uses the same API, so I wonder how come
GnuTLS fails to validate the certificates, while IE succeeds.

I guess some debugging is in order.