From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: "Stephen J. Turnbull" <stephen@xemacs.org>
Newsgroups: gmane.emacs.devel
Subject: Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking.
Date: Thu, 09 Oct 2014 11:43:49 +0900
Message-ID: <878ukqq7x6.fsf@uwakimon.sk.tsukuba.ac.jp>
References: <1412716565-7786-1-git-send-email-toke@toke.dk>
	<m3iojv4l87.fsf@stories.gnus.org>
	<87a957o87z.fsf@alrua-karlstad.karlstad.toke.dk>
	<m3ppe222ww.fsf@stories.gnus.org> <87bnpm2249.fsf@toke.dk>
	<m3zjd6zre4.fsf@stories.gnus.org> <83eguik9ip.fsf@gnu.org>
	<m3a956zpmd.fsf@stories.gnus.org> <83d2a2k91n.fsf@gnu.org>
	<m338ayzp5f.fsf@stories.gnus.org> <83bnpmk8fd.fsf@gnu.org>
	<m3y4sqy9pk.fsf@stories.gnus.org> <838ukqk7gd.fsf@gnu.org>
	<m3tx3ey8p6.fsf@stories.gnus.org> <834mvek6dq.fsf@gnu.org>
	<m3fveyy7ov.fsf@stories.gnus.org> <m2fvey4nl0.fsf@lifelogs.com>
	<m38ukqy3vu.fsf@stories.gnus.org> <m27g0a4lok.fsf@lifelogs.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
X-Trace: ger.gmane.org 1412822676 24551 80.91.229.3 (9 Oct 2014 02:44:36 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Thu, 9 Oct 2014 02:44:36 +0000 (UTC)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Oct 09 04:44:29 2014
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Xc3iP-0005qQ-BB
	for ged-emacs-devel@m.gmane.org; Thu, 09 Oct 2014 04:44:29 +0200
Original-Received: from localhost ([::1]:39530 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Xc3iO-0005dX-W9
	for ged-emacs-devel@m.gmane.org; Wed, 08 Oct 2014 22:44:29 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36732)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stephen@xemacs.org>) id 1Xc3i5-0005dD-4B
	for emacs-devel@gnu.org; Wed, 08 Oct 2014 22:44:15 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stephen@xemacs.org>) id 1Xc3ht-00065P-PD
	for emacs-devel@gnu.org; Wed, 08 Oct 2014 22:44:09 -0400
Original-Received: from shako.sk.tsukuba.ac.jp ([130.158.97.161]:39923)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stephen@xemacs.org>) id 1Xc3ht-00063c-FJ
	for emacs-devel@gnu.org; Wed, 08 Oct 2014 22:43:57 -0400
Original-Received: from uwakimon.sk.tsukuba.ac.jp (uwakimon.sk.tsukuba.ac.jp
	[130.158.99.156])
	by shako.sk.tsukuba.ac.jp (Postfix) with ESMTP id 344B01C3A17
	for <emacs-devel@gnu.org>; Thu,  9 Oct 2014 11:43:49 +0900 (JST)
Original-Received: by uwakimon.sk.tsukuba.ac.jp (Postfix, from userid 1000)
	id 2611E1A2888; Thu,  9 Oct 2014 11:43:49 +0900 (JST)
In-Reply-To: <m27g0a4lok.fsf@lifelogs.com>
X-Mailer: VM undefined under 21.5  (beta34) "kale" acf1c26e3019 XEmacs Lucid
	(x86_64-unknown-linux)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 130.158.97.161
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:175156
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/175156>

Ted Zlatanov writes:
 > On Wed, 08 Oct 2014 17:31:33 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

 > LMI> If the user can't answer questions, the default would be to reject
 > LMI> invalid certificates.
 > 
 > They are not necessarily invalid.

Youngsters these days have trouble with precise use of English, and
the usage "invalid" for "unable to establish a chain of trust to a
trusted root"" is common.  Get used to it, old man. :-)

FWIW, I think I'm one of the more paranoid folks around Emacs
development, and I don't see a problem with completing whatever
operations are necessary to get safely back to Lisp to query the user,
as long as

(1) No data is transmitted from Emacs to the remote, except that
    needed by the protocol to establish the connection (transmitting
    credentials should be avoided if possible, but that may not be
    possible in some protocols).

(2) All data received is squirreled away in a buffer inaccessible to
    Emacs (except for the code that will eventually move it to Lisp,
    of course), and this buffer is "read-locked" until permission is
    received from the user.

(3) The amount of data accepted is effectively limited (to avoid DoS
    attacks -- this is probably gilding a lily, but I am paranoid).

Regards,