From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: NSM certificate prompt Date: Sat, 13 Dec 2014 15:02:48 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: <87mw6rz5av.fsf@lifelogs.com> References: <83a92r625n.fsf@gnu.org> <87wq5vefiz.fsf@gmx.de> <87r3w3ebds.fsf@gmx.de> <83wq5v4eb8.fsf@gnu.org> <87egs3e4xd.fsf@gmx.de> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1418500949 16149 80.91.229.3 (13 Dec 2014 20:02:29 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 13 Dec 2014 20:02:29 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Dec 13 21:02:22 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XzstR-00069N-PJ for ged-emacs-devel@m.gmane.org; Sat, 13 Dec 2014 21:02:21 +0100 Original-Received: from localhost ([::1]:34163 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XzstR-00050Q-CF for ged-emacs-devel@m.gmane.org; Sat, 13 Dec 2014 15:02:21 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36942) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XzstJ-00050F-EQ for emacs-devel@gnu.org; Sat, 13 Dec 2014 15:02:18 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XzstD-0002Ck-Fv for emacs-devel@gnu.org; Sat, 13 Dec 2014 15:02:13 -0500 Original-Received: from plane.gmane.org ([80.91.229.3]:50231) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XzstD-0002CX-9i for emacs-devel@gnu.org; Sat, 13 Dec 2014 15:02:07 -0500 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Xzst9-0005eC-51 for emacs-devel@gnu.org; Sat, 13 Dec 2014 21:02:03 +0100 Original-Received: from c-98-229-61-72.hsd1.ma.comcast.net ([98.229.61.72]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 13 Dec 2014 21:02:03 +0100 Original-Received: from tzz by c-98-229-61-72.hsd1.ma.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 13 Dec 2014 21:02:03 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 41 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: c-98-229-61-72.hsd1.ma.comcast.net X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) Cancel-Lock: sha1:rT8qMpEJAHsYWP0+tFn+phAFNYw= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:180036 Archived-At: On Sat, 13 Dec 2014 20:16:30 +0100 Michael Albinus wrote: MA> Lars Magne Ingebrigtsen writes: >> Eli Zaretskii writes: >> >>> A middle ground would be to offer to perform an update of the >>> certificates when validation fails. >> >> Yes, that would be nice. We'd have to have a secure way to retrieve >> those certificates, though. Perhaps we could use GNU ELPA for this? >> Wasn't there some work done on signing packages? We have signed packages (but you need GnuPG installed). The last time I brought up storing the CA certificates inside Emacs, there was no interest in maintaining that facility. Similarly, we don't package GnuTLS with Emacs, so the user has to update it manually (we also discussed this with Eli a while back). MA> That's not the crucial point. A root certificate could be compromised, MA> and with this compromised root certificate a validation might still MA> succeed when it shouldn't. ELPA does not has the means to urge a package MA> update of the hypothetical ca-certificates package, when a new version MA> appears. Well, typically CRLs are used for such urgent revocations, right? So those could be supported specifically. And we could say that `network-security-level' of 'high or above requires having the latest GNU ELPA certificates package. I think it's technically possible. MA> I don't believe this belongs to Emacs' core functionality. It might be MA> better to investigate first, whether there exist already an MA> infrastructure on the different supported systems we could use. Like the MA> Debian package I've mentioned already. It's definitely easier to rely on the host OS. I don't know if it's always the right thing because not all platforms are up to date, and the user may not be able to control the CA store updates. The GnuTLS updates are handled similarly. Ted