From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: url library and GnuTLS, and Emacs-issued certificates Date: Wed, 23 Mar 2011 10:30:29 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87ei5xsvl6.fsf@lifelogs.com> References: <87mxkojpk4.fsf@lifelogs.com> <87hbawtbq7.fsf@stupidchicken.com> <878vw8hznm.fsf_-_@lifelogs.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1300894293 9224 80.91.229.12 (23 Mar 2011 15:31:33 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Wed, 23 Mar 2011 15:31:33 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Mar 23 16:31:29 2011 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Q2Q1t-0003JY-4t for ged-emacs-devel@m.gmane.org; Wed, 23 Mar 2011 16:31:27 +0100 Original-Received: from localhost ([127.0.0.1]:58869 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q2Q1q-0001ef-LB for ged-emacs-devel@m.gmane.org; Wed, 23 Mar 2011 11:31:22 -0400 Original-Received: from [140.186.70.92] (port=58441 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q2Q1Y-0001Hg-G2 for emacs-devel@gnu.org; Wed, 23 Mar 2011 11:31:11 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q2Q1L-0005Lf-Ng for emacs-devel@gnu.org; Wed, 23 Mar 2011 11:30:52 -0400 Original-Received: from lo.gmane.org ([80.91.229.12]:47263) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q2Q1L-0005LU-CF for emacs-devel@gnu.org; Wed, 23 Mar 2011 11:30:51 -0400 Original-Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Q2Q1H-0002vk-FL for emacs-devel@gnu.org; Wed, 23 Mar 2011 16:30:47 +0100 Original-Received: from 38.98.147.130 ([38.98.147.130]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 23 Mar 2011 16:30:47 +0100 Original-Received: from tzz by 38.98.147.130 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 23 Mar 2011 16:30:47 +0100 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 63 Original-X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: 38.98.147.130 X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" User-Agent: Gnus/5.110016 (No Gnus v0.16) Emacs/24.0.50 (gnu/linux) Cancel-Lock: sha1:gTh/IYt1ZLhk6M9PMAtWbb534Mw= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 80.91.229.12 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:137577 Archived-At: On Mon, 21 Mar 2011 17:33:33 -0500 Ted Zlatanov wrote: TZ> On Mon, 21 Mar 2011 17:17:20 -0400 Chong Yidong wrote: CY> Ted Zlatanov writes: aj> so far there is no tls/ssl support for elpa.gnu.org . In my opinion aj> this is a real problem as there is no way to check the authenticity aj> and integrity of downloaded packages. Is it possible to expand the aj> certificate of gnu.org to elpa.gnu.org? aj> Of course this makes the package-manager not checking integrity - aj> but I think anyone interested in doing so can modify it without aj> problems. >>> >>> I can install a certificate but it has to be requested by the domain >>> owner so I'm not sure who to bug about it. CY> Why not simply distribute the certificate file with Emacs? TZ> I assumed we'd want https://elpa.gnu.org/packages/ to look reasonable in TZ> a web browser. TZ> In any case, I think it's a good idea to set up an Emacs Certificate TZ> Authority (CA) so we can create certificates that Emacs will trust. We TZ> just need to ship the CA's certificate with Emacs then, not every TZ> certificate it has signed. We can then make a .p12 file that browser TZ> users can import to trust Emacs-signed certificates. TZ> It may make sense, though, to make this CA a facility for the whole GNU TZ> project and then the Emacs CA can be an intermediate CA hanging off that TZ> root CA. That should be decided before we start pushing out TZ> certificates, please, so we don't have to invalidate them later. Any opinions on this? It's really not hard to set up the CA stuff but I'd like to know what people think before I do it. It really seems like it should be a GNU-level or FSF-level facility. CY> Also, the Emacs package manager uses the url library for downloading via CY> http. How well does that library support https? If I give CY> `url-retrieve-synchronously' a https url, does it currently DTRT? TZ> It's insecure currently and won't work on all platforms. It uses tls.el TZ> (see `url-https-create-secure-wrapper') which in turn relies on the TZ> gnutls-cli or openssl binaries to be installed and usable, calling TZ> gnutls-cli by default with --insecure (though the user can manually TZ> adjust that, see `tls-checktrust'). We need the GnuTLS support at the C TZ> level to make the url library secure through gnutls.el. TZ> I need to look at Claudio Bley's patch that was posted on emacs-devel 2 TZ> days ago and figure out what's wrong with hostname verification against TZ> the certificate. Once that's done we can promote gnutls.el+gnutls.c to TZ> "need testing" and make them the default for the url library, Gnus, etc. This work is almost done. But probably a better approach than relying directly on gnutls.el is to make url.el use proto-stream.el from Gnus, which handles most of the connection details automatically whether Emacs has GnuTLS support build-in or not. I looked at it in order to make the new GnuTLS support work properly and it seems like a good general facility, not just for Gnus. proto-stream.el doesn't depend on any Gnus internals, it's a standalone library. It could live in net/ in the Emacs repo. Thanks Ted