From: Michael Albinus <michael.albinus@gmx.de>
To: Eli Zaretskii <eliz@gnu.org>
Cc: emacs-devel@gnu.org
Subject: Re: NSM certificate prompt
Date: Sat, 13 Dec 2014 18:06:37 +0100 [thread overview]
Message-ID: <87mw6reaxu.fsf@gmx.de> (raw)
In-Reply-To: <83388j5wrs.fsf@gnu.org> (Eli Zaretskii's message of "Sat, 13 Dec 2014 18:39:51 +0200")
Eli Zaretskii <eliz@gnu.org> writes:
> If I do the same for savannah.gnu.org in IE, it shows the following
> certification path:
>
> UTN-USERFirst-Hardware
> Gandi Standard SSL CA
> savannah.gnu.org
>
> Emacs's eww prompts me about https://savannah.gnu.org and shows me
> this information about its certificate:
>
> Certificate information
> Issued by: Gandi Standard SSL CA
> Issued to: Domain Control Validated
> Hostname: savannah.gnu.org
> Public key: RSA, signature: RSA-SHA1
> Protocol: TLS1.0, key: RSA, cipher: AES-128-CBC, mac: SHA1
> Security level: Medium
> Valid: From 2014-03-05 to 2015-03-05
>
>
> The TLS connection to savannah.gnu.org:443 is insecure for the
> following reasons:
>
> certificate signer was not found (self-signed)
> certificate could not be verified
>
> which also talks about Gandi Standard SSL CA. So I wonder why GnuTLS
> isn't happy with this, while MS IE is. Am I missing something?
Likely for the same reason as Firefox: it knows the certificate(s) which
have been used for signing "Gandi Standard SSL CA". In your case, it is
"UTN-USERFirst-Hardware".
In Firefox, the chain is shown as
AddTrust External CA Root
UTN-USERFirst-Hardware
Gandi Standard SSL CA
savannah.gnu.org
One hop more ...
> (Please be gentle: I know nothing about Internet security and
> certificates.)
Not a big deal: Every certificate must be signed by another one
(certificate authority, or CA), which gives you the trust that this
certificate is valid. The CA certificate must be signed ("guarantee that
it is true") by another one, and so on. This is called a chain of trust.
In order not to create an infinite chain, there are so-called Root CAs,
which are "known by default". If any chain ends in such a root
certificate, you know that the initial certificate is true.
The problem is to distribute and maintain such root
certificates. Browsers have them built-in, but I don't believe Emacs
(eww) shall do so.
Best regards, Michael.
next prev parent reply other threads:[~2014-12-13 17:06 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-13 14:43 NSM certificate prompt Eli Zaretskii
2014-12-13 15:12 ` Lars Magne Ingebrigtsen
2014-12-13 16:01 ` Eli Zaretskii
2014-12-13 16:04 ` Lars Magne Ingebrigtsen
2014-12-13 16:46 ` Eli Zaretskii
2014-12-13 17:27 ` Lars Magne Ingebrigtsen
2014-12-13 15:27 ` Michael Albinus
2014-12-13 15:35 ` Lars Magne Ingebrigtsen
2014-12-13 16:57 ` Michael Albinus
2014-12-13 17:06 ` Eli Zaretskii
2014-12-13 17:29 ` Lars Magne Ingebrigtsen
2014-12-13 18:03 ` Eli Zaretskii
2014-12-13 18:06 ` Lars Magne Ingebrigtsen
2014-12-13 19:16 ` Michael Albinus
2014-12-13 20:02 ` Ted Zlatanov
2014-12-13 16:03 ` Eli Zaretskii
2014-12-13 16:39 ` Eli Zaretskii
2014-12-13 17:06 ` Michael Albinus [this message]
2014-12-13 18:01 ` Eli Zaretskii
2014-12-13 19:09 ` Michael Albinus
2014-12-13 19:13 ` Eli Zaretskii
2014-12-13 19:47 ` Ted Zlatanov
2014-12-13 20:06 ` Eli Zaretskii
2014-12-14 0:23 ` Lars Magne Ingebrigtsen
2014-12-14 1:38 ` Ted Zlatanov
2014-12-14 3:46 ` Eli Zaretskii
2014-12-14 8:16 ` Lars Magne Ingebrigtsen
2014-12-14 16:04 ` Eli Zaretskii
2014-12-19 12:14 ` Lars Ingebrigtsen
2014-12-19 14:41 ` Eli Zaretskii
2014-12-19 16:42 ` Ivan Shmakov
2014-12-19 16:47 ` Lars Ingebrigtsen
2014-12-19 19:53 ` Simon Leinen
2014-12-19 21:37 ` Eli Zaretskii
2014-12-14 11:34 ` Ted Zlatanov
2014-12-14 12:52 ` Michael Albinus
2014-12-14 16:53 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mw6reaxu.fsf@gmx.de \
--to=michael.albinus@gmx.de \
--cc=eliz@gnu.org \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.