From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Chong Yidong Newsgroups: gmane.emacs.devel Subject: Re: url library and GnuTLS, and Emacs-issued certificates Date: Wed, 23 Mar 2011 14:31:02 -0400 Message-ID: <87hbatofix.fsf@stupidchicken.com> References: <87mxkojpk4.fsf@lifelogs.com> <87hbawtbq7.fsf@stupidchicken.com> <878vw8hznm.fsf_-_@lifelogs.com> <87ei5xsvl6.fsf@lifelogs.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1300905077 15408 80.91.229.12 (23 Mar 2011 18:31:17 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Wed, 23 Mar 2011 18:31:17 +0000 (UTC) Cc: emacs-devel@gnu.org To: Ted Zlatanov Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Mar 23 19:31:12 2011 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Q2Spp-0004no-MU for ged-emacs-devel@m.gmane.org; Wed, 23 Mar 2011 19:31:09 +0100 Original-Received: from localhost ([127.0.0.1]:49497 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q2Spp-0002Mv-49 for ged-emacs-devel@m.gmane.org; Wed, 23 Mar 2011 14:31:09 -0400 Original-Received: from [140.186.70.92] (port=48318 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Q2Spk-0002MD-Dr for emacs-devel@gnu.org; Wed, 23 Mar 2011 14:31:05 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Q2Spi-0007GU-Jn for emacs-devel@gnu.org; Wed, 23 Mar 2011 14:31:04 -0400 Original-Received: from vm-emlprdomr-05.its.yale.edu ([130.132.50.146]:54815) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Q2Spi-0007G3-Fk for emacs-devel@gnu.org; Wed, 23 Mar 2011 14:31:02 -0400 Original-Received: from furball (dhcp128036014167.central.yale.edu [128.36.14.167]) (authenticated bits=0) by vm-emlprdomr-05.its.yale.edu (8.14.4/8.14.4) with ESMTP id p2NIV1sP009619 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 23 Mar 2011 14:31:01 -0400 Original-Received: by furball (Postfix, from userid 1000) id 2BBF016028B; Wed, 23 Mar 2011 14:31:02 -0400 (EDT) In-Reply-To: <87ei5xsvl6.fsf@lifelogs.com> (Ted Zlatanov's message of "Wed, 23 Mar 2011 10:30:29 -0500") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) X-Scanned-By: MIMEDefang 2.71 on 130.132.50.146 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 130.132.50.146 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:137596 Archived-At: Ted Zlatanov writes: > TZ> In any case, I think it's a good idea to set up an Emacs > TZ> Certificate Authority (CA) so we can create certificates that > TZ> Emacs will trust... It may make sense, though, to make this CA a > TZ> facility for the whole GNU project and then the Emacs CA can be an > TZ> intermediate CA hanging off that root CA. That should be decided > TZ> before we start pushing out certificates, please, so we don't have > TZ> to invalidate them later. > > Any opinions on this? It's really not hard to set up the CA stuff but > I'd like to know what people think before I do it. It really seems > like it should be a GNU-level or FSF-level facility. I don't think setting up a GNU-wide CA is a good idea; it's mission creep and the gains seem negligible. As for an Emacs-specific CA, I don't know enough of the details of how CAs are maintained to evaluate the proposal. On reflection, the best solution is the one that needs the least work from us. So it's probably best to ask the FSF sysadmins to request and install a cert, as you originally suggested. Could you email them? > This work is almost done. But probably a better approach than relying > directly on gnutls.el is to make url.el use proto-stream.el from Gnus, > which handles most of the connection details automatically whether Emacs > has GnuTLS support build-in or not. I looked at it in order to make the > new GnuTLS support work properly and it seems like a good general > facility, not just for Gnus. > > proto-stream.el doesn't depend on any Gnus internals, it's a standalone > library. It could live in net/ in the Emacs repo. How bout merging the open-protocol-stream code directly into open-network-stream? Then we can make open-protocol-stream an alias for open-network-stream, and (provide 'proto-stream) in subr.el. If the Gnus developers don't object, I propose to do this. (Also, gnutls.el should be changed to explicitly recommend that applications not use it directly, and we should merge net/tls.el and gnus/starttls.el; those two packages appear to be duplicates.)