Re: NSM certificate prompt

[Ted Zlatanov <tzz@lifelogs.com>]

On Sat, 13 Dec 2014 20:16:30 +0100 Michael Albinus <michael.albinus@gmx.de> wrote: 

MA> Lars Magne Ingebrigtsen <larsi@gnus.org> writes:
>> Eli Zaretskii <eliz@gnu.org> writes:
>> 
>>> A middle ground would be to offer to perform an update of the
>>> certificates when validation fails.
>> 
>> Yes, that would be nice.  We'd have to have a secure way to retrieve
>> those certificates, though.  Perhaps we could use GNU ELPA for this?
>> Wasn't there some work done on signing packages?

We have signed packages (but you need GnuPG installed).

The last time I brought up storing the CA certificates inside Emacs,
there was no interest in maintaining that facility. Similarly, we don't
package GnuTLS with Emacs, so the user has to update it manually (we
also discussed this with Eli a while back).

MA> That's not the crucial point. A root certificate could be compromised,
MA> and with this compromised root certificate a validation might still
MA> succeed when it shouldn't. ELPA does not has the means to urge a package
MA> update of the hypothetical ca-certificates package, when a new version
MA> appears.

Well, typically CRLs are used for such urgent revocations, right? So
those could be supported specifically. And we could say that
`network-security-level' of 'high or above requires having the latest
GNU ELPA certificates package. I think it's technically possible.

MA> I don't believe this belongs to Emacs' core functionality. It might be
MA> better to investigate first, whether there exist already an
MA> infrastructure on the different supported systems we could use. Like the
MA> Debian package I've mentioned already.

It's definitely easier to rely on the host OS.  I don't know if it's
always the right thing because not all platforms are up to date, and the
user may not be able to control the CA store updates.  The GnuTLS
updates are handled similarly.

Ted