From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Michael Albinus Newsgroups: gmane.emacs.devel Subject: Re: NSM certificate prompt Date: Sat, 13 Dec 2014 17:57:03 +0100 Message-ID: <87r3w3ebds.fsf@gmx.de> References: <83a92r625n.fsf@gnu.org> <87wq5vefiz.fsf@gmx.de> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1418489874 16521 80.91.229.3 (13 Dec 2014 16:57:54 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 13 Dec 2014 16:57:54 +0000 (UTC) Cc: Eli Zaretskii , emacs-devel@gnu.org To: Lars Magne Ingebrigtsen Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Dec 13 17:57:47 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Xzq0o-0001hW-Uv for ged-emacs-devel@m.gmane.org; Sat, 13 Dec 2014 17:57:47 +0100 Original-Received: from localhost ([::1]:33630 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xzq0o-00015Q-HB for ged-emacs-devel@m.gmane.org; Sat, 13 Dec 2014 11:57:46 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:37279) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xzq0W-00015L-Ih for emacs-devel@gnu.org; Sat, 13 Dec 2014 11:57:34 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xzq0Q-0001Yq-O7 for emacs-devel@gnu.org; Sat, 13 Dec 2014 11:57:28 -0500 Original-Received: from mout.gmx.net ([212.227.15.19]:51385) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xzq0B-0001Vz-0t; Sat, 13 Dec 2014 11:57:07 -0500 Original-Received: from detlef.gmx.de ([79.195.17.88]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MaJPk-1YF9vl01sm-00Jrna; Sat, 13 Dec 2014 17:57:05 +0100 In-Reply-To: (Lars Magne Ingebrigtsen's message of "Sat, 13 Dec 2014 16:35:48 +0100") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) X-Provags-ID: V03:K0:BsSuzP9sjyXGv+OpdxAa6BalEPYZdJkhd3G8Zkj8VliEzPanBLm fT3xpUSlWSlIrwQoE1bJPc2QqdhMFX/c25KLtKdTpOiUwRzi6L2Ezd2OTXDuU0fZwcH26JE VpBgpx/JJUm2aadEVCl79kpMyKbxPpePAkZ0ImNO28LsV+sbK0goR49kvTRWN4ZURtaR/yg /DYa2eL5PHohQbR+2Pz1A== X-UI-Out-Filterresults: notjunk:1; X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 212.227.15.19 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:180020 Archived-At: Lars Magne Ingebrigtsen writes: > Michael Albinus writes: > >> "Other Web browsers" carry builtin certificates. > > We should do that too, I guess. I don't think so. It will be an endless story, because this will require permanent updates. Certificates have a limited life (see the Expires attribute); new certificates must be added regularly, and even established certificates must be revoked sometimes (if the CA has been hacked, for example). A better solution might be to use system-installed certificates. For example, Debian offers the package ca-certificates. It installs known certificates at /usr/share/ca-certificates, which could be used. See also /usr/share/doc/ca-certificates/README.Debian. Similar packages might exist for other systems. Don't know, whether gnutls uses them already by default. Best regards, Michael.