From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Ted Zlatanov <tzz@lifelogs.com>
Newsgroups: gmane.emacs.devel,gmane.comp.encryption.gpg.gnutls.devel
Subject: Re: Emacs core TLS support
Date: Wed, 15 Sep 2010 06:20:48 -0500
Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos
Message-ID: <8762y79rsf.fsf@lifelogs.com>
References: <878wc1vfh3.fsf@lifelogs.com> <871vhsvkut.fsf@lifelogs.com>
	<jwvbpgw1yp2.fsf-monnier+emacs@gnu.org> <87d41csktn.fsf@lifelogs.com>
	<87k4v0n0m8.fsf@lifelogs.com> <87wrrvfnc4.fsf@lifelogs.com>
	<m3zkwqhixi.fsf@carbon.jhcloos.org> <87r5i2d00q.fsf@lifelogs.com>
	<87zkwqijye.fsf@stupidchicken.com> <878w4actmg.fsf@lifelogs.com>
	<877hju123h.fsf@stupidchicken.com> <8762yklrdk.fsf@lifelogs.com>
	<jwvlj7fg7gk.fsf-monnier+emacs@gnu.org> <87wrqzhrjv.fsf@lifelogs.com>
	<jwvmxruehco.fsf-monnier+emacs@gnu.org> <87fwxmihyz.fsf@lifelogs.com>
	<8762ycfhqo.fsf@lifelogs.com>
	<AANLkTim_joNAMDoUACseNbTwVEn6dOAexWzb7PKML7K2@mail.gmail.com>
	<8739tcch48.fsf@lifelogs.com> <4C8FC537.2020207@gnutls.org>
	<m38w34qgxv.fsf@quimbies.gnus.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: dough.gmane.org 1284549678 31017 80.91.229.12 (15 Sep 2010 11:21:18 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Wed, 15 Sep 2010 11:21:18 +0000 (UTC)
Cc: gnutls-devel@gnu.org
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Sep 15 13:21:17 2010
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Ovq3B-0008Pc-3o
	for ged-emacs-devel@m.gmane.org; Wed, 15 Sep 2010 13:21:17 +0200
Original-Received: from localhost ([127.0.0.1]:56152 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1Ovq3A-0001Pi-9A
	for ged-emacs-devel@m.gmane.org; Wed, 15 Sep 2010 07:21:16 -0400
Original-Received: from [140.186.70.92] (port=47793 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Ovq32-0001O2-Ep
	for emacs-devel@gnu.org; Wed, 15 Sep 2010 07:21:11 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1Ovq2x-0001sg-Ii
	for emacs-devel@gnu.org; Wed, 15 Sep 2010 07:21:08 -0400
Original-Received: from lo.gmane.org ([80.91.229.12]:52984)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1Ovq2x-0001sT-6u
	for emacs-devel@gnu.org; Wed, 15 Sep 2010 07:21:03 -0400
Original-Received: from list by lo.gmane.org with local (Exim 4.69)
	(envelope-from <ged-emacs-devel@m.gmane.org>) id 1Ovq2s-0008Eg-6G
	for emacs-devel@gnu.org; Wed, 15 Sep 2010 13:20:58 +0200
Original-Received: from c-24-14-16-248.hsd1.il.comcast.net ([24.14.16.248])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Wed, 15 Sep 2010 13:20:58 +0200
Original-Received: from tzz by c-24-14-16-248.hsd1.il.comcast.net with local (Gmexim
	0.1 (Debian)) id 1AlnuQ-0007hv-00
	for <emacs-devel@gnu.org>; Wed, 15 Sep 2010 13:20:58 +0200
X-Injected-Via-Gmane: http://gmane.org/
Original-Lines: 27
Original-X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: c-24-14-16-248.hsd1.il.comcast.net
X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;
	d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT=
	D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx"
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/24.0.50 (gnu/linux)
Cancel-Lock: sha1:nSehtG+gBOf7X234B/YRBG4uoG8=
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:130200 gmane.comp.encryption.gpg.gnutls.devel:4515
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/130200>

On Tue, 14 Sep 2010 21:10:52 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Nikos Mavrogiannopoulos <nmav@gnutls.org> writes:
>>> What ca.pem should I use?  There's one in GnuTLS and one in
>>> /etc/ssl/certs/ca.pem on my Ubuntu system.  It should Just Work so it
>>> may make sense to ship ca.pem with Emacs.  WDYT?
>> 
>> This is local policy, I don't think that it has to be shipped with
>> emacs. Just give the option of someone specifying it.

LMI> I don't know how tls stuff works at all, but if a certificate is needed
LMI> for basic usage, then it should be shipped with Emacs.

On my Ubuntu system I get 142 CA certificates out of
/etc/ssl/certs/ca-certificates.crt and one out of /etc/ssl/certs/ca.pem.
So the former seems like a better starting point IIUC.  It seems like
this should be part of the configure process: if GnuTLS is enabled, look
for a certificate bundle (allowing an override).  Then build a merged
bundle out of the local one plus whatever Emacs ships by default and
make that the default certificate bundle (the user can override that in
gnutls.el at runtime, of course).  See
http://lynx.isc.org/current/README.sslcerts for an example of how we
could explain this to the Emacs users.

Should Emacs blindly trust all the certificates in the local policy?

Ted