From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Michael Albinus <michael.albinus@gmx.de>
Newsgroups: gmane.emacs.devel
Subject: Re: NSM certificate prompt
Date: Sat, 13 Dec 2014 18:06:37 +0100
Message-ID: <87mw6reaxu.fsf@gmx.de>
References: <83a92r625n.fsf@gnu.org> <87wq5vefiz.fsf@gmx.de>
	<83388j5wrs.fsf@gnu.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1418490435 24872 80.91.229.3 (13 Dec 2014 17:07:15 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 13 Dec 2014 17:07:15 +0000 (UTC)
Cc: emacs-devel@gnu.org
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Dec 13 18:07:10 2014
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Xzq9q-0000eX-8h
	for ged-emacs-devel@m.gmane.org; Sat, 13 Dec 2014 18:07:06 +0100
Original-Received: from localhost ([::1]:33782 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Xzq9p-00053l-PT
	for ged-emacs-devel@m.gmane.org; Sat, 13 Dec 2014 12:07:05 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:38867)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <michael.albinus@gmx.de>) id 1Xzq9W-0004vt-1o
	for emacs-devel@gnu.org; Sat, 13 Dec 2014 12:06:51 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <michael.albinus@gmx.de>) id 1Xzq9Q-0004zx-3s
	for emacs-devel@gnu.org; Sat, 13 Dec 2014 12:06:45 -0500
Original-Received: from mout.gmx.net ([212.227.17.21]:65291)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <michael.albinus@gmx.de>)
	id 1Xzq9P-0004zZ-P5; Sat, 13 Dec 2014 12:06:40 -0500
Original-Received: from detlef.gmx.de ([79.195.17.88]) by mail.gmx.com (mrgmx102) with
	ESMTPSA (Nemesis) id 0LjdS8-1XOaaU33yC-00bcRq;
	Sat, 13 Dec 2014 18:06:38 +0100
In-Reply-To: <83388j5wrs.fsf@gnu.org> (Eli Zaretskii's message of "Sat, 13 Dec
	2014 18:39:51 +0200")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
X-Provags-ID: V03:K0:2QLXaenfrO5Fq0nsLZhl6NBj65TBCeWNOAYcykSFpZABAUbcvMy
	l1BleQRi1LHHVf7Rvnx4lsu/52qqBgwYVmCG0YAkIkbd30/jQ06Q+EtyzLiUVIttS6hpB1O
	2KlwhMKb8Yv3Zq5WR/vouEnnLUXSj/BenSIA1gFaQf7UlQPtYSFMX3arhfOQEXsoW6erkSH
	wP1Si1yuB+ZcSbAQesd+g==
X-UI-Out-Filterresults: notjunk:1;
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic]
X-Received-From: 212.227.17.21
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:180022
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/180022>

Eli Zaretskii <eliz@gnu.org> writes:

> If I do the same for savannah.gnu.org in IE, it shows the following
> certification path:
>
>    UTN-USERFirst-Hardware
>     Gandi Standard SSL CA
>      savannah.gnu.org
>
> Emacs's eww prompts me about https://savannah.gnu.org and shows me
> this information about its certificate:
>
>   Certificate information
>   Issued by:          Gandi Standard SSL CA
>   Issued to:          Domain Control Validated
>   Hostname:           savannah.gnu.org
>   Public key:         RSA, signature: RSA-SHA1
>   Protocol:           TLS1.0, key: RSA, cipher: AES-128-CBC, mac: SHA1
>   Security level:     Medium
>   Valid:              From 2014-03-05 to 2015-03-05
>
>
>   The TLS connection to savannah.gnu.org:443 is insecure for the
>   following reasons:
>
>   certificate signer was not found (self-signed)
>   certificate could not be verified
>
> which also talks about Gandi Standard SSL CA.  So I wonder why GnuTLS
> isn't happy with this, while MS IE is.  Am I missing something?

Likely for the same reason as Firefox: it knows the certificate(s) which
have been used for signing "Gandi Standard SSL CA". In your case, it is
"UTN-USERFirst-Hardware".

In Firefox, the chain is shown as

  AddTrust External CA Root
   UTN-USERFirst-Hardware
    Gandi Standard SSL CA
     savannah.gnu.org

One hop more ...

> (Please be gentle: I know nothing about Internet security and
> certificates.)

Not a big deal: Every certificate must be signed by another one
(certificate authority, or CA), which gives you the trust that this
certificate is valid. The CA certificate must be signed ("guarantee that
it is true") by another one, and so on. This is called a chain of trust.

In order not to create an infinite chain, there are so-called Root CAs,
which are "known by default". If any chain ends in such a root
certificate, you know that the initial certificate is true.

The problem is to distribute and maintain such root
certificates. Browsers have them built-in, but I don't believe Emacs
(eww) shall do so.

Best regards, Michael.