From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Jimmy Yuen Ho Wong Newsgroups: gmane.emacs.devel Subject: Re: A couple of questions and concerns about Emacs network security Date: Sun, 24 Jun 2018 19:29:24 +0100 Message-ID: References: <83po0iuhs7.fsf@gnu.org> <83lgb4tg92.fsf@gnu.org> <838t74td5t.fsf@gnu.org> <988de2f1-ec9a-4986-1ae5-ae435c736ac0@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000078e22056f6773b9" X-Trace: blaine.gmane.org 1529864903 22364 195.159.176.226 (24 Jun 2018 18:28:23 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 24 Jun 2018 18:28:23 +0000 (UTC) Cc: Eli Zaretskii , Paul Eggert , Noam Postavsky , emacs-devel@gnu.org To: Lars Ingebrigtsen Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jun 24 20:28:18 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fX9kF-0005fj-9L for ged-emacs-devel@m.gmane.org; Sun, 24 Jun 2018 20:28:15 +0200 Original-Received: from localhost ([::1]:42781 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fX9mM-0000t5-Ee for ged-emacs-devel@m.gmane.org; Sun, 24 Jun 2018 14:30:26 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49617) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fX9ll-0000rX-EU for emacs-devel@gnu.org; Sun, 24 Jun 2018 14:29:50 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fX9lk-000621-D1 for emacs-devel@gnu.org; Sun, 24 Jun 2018 14:29:49 -0400 Original-Received: from mail-it0-x231.google.com ([2607:f8b0:4001:c0b::231]:33109) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fX9li-00060b-Il; Sun, 24 Jun 2018 14:29:46 -0400 Original-Received: by mail-it0-x231.google.com with SMTP id k17-v6so10174518ita.0; Sun, 24 Jun 2018 11:29:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/+shWXfjwYtSgggYlNpKHpyq4qVxIiHspOjQjrd+Xys=; b=NecCKsb/5gswYziZGqp+wtRqNnetAVoJn8XZXjedLs7G6kpnWiH27IEVdwV4H/awyY nkEj5Aa+nXKkHacwYXtnQHpsqN4vHRt/DSk1SfKXGa43FU00wHMsuUd9uJNxMQC/XROu NwsCGrE52J5QleDC7juTYy47xhTy19P+zRIvy8BBcKAsDjcykKckv+B8O48CO6Xhs1Jz FkmjDKfN9pFsowONq9mcii8duT4loDG8rm087yg0oIwUB3pSG8j/dLoStuGnolmqoRKD RQeKdX8h2GKIVq9tJWqtghBjKuamcrhim46XsE32/gwvr9mQhQ5T0lnxHbf2XY1luTlC h8og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/+shWXfjwYtSgggYlNpKHpyq4qVxIiHspOjQjrd+Xys=; b=CnAlmeoF4luCaeoU6qX3SAMKYnzXbgiQub+/uEF7qNvcEOuXF9AH5oBB2kj/k4UwqG 7bdJhG9CI046dL+tOCCAm2+LMIP2/O5U5r7AN4lUi75xGFCzlWeTJNrx+cAFQgk5Az2c 6qFRaFB1YK8PiCeyAlOHPCuyzpVT07uL1mIBamca7AKpUDJuTUUk9VxZSPkmIZyE4bLz oDX67LggQu4QySIK77rNhWlI2bIEqbcBDg37IUamowEVkvd7keVJrYiOUHfWTnXhDQZR DChBQsnmQdUKCb22sj9piB1XpkAmzxTXRs45ac1YhMIFwAnIF5pZmaRMd9dBoGIvTIRM wvrA== X-Gm-Message-State: APt69E2f4+R3gNyuTAUUdd6k746lNKL4Hsx8jW1BrBiUUTT+0psdle4L FKqd+YEvLFYRnNJBmcZyMMTFzTKKp+fbSKlwKjk= X-Google-Smtp-Source: AAOMgpcHXsjjTB0eWtc5cWCKqwm9GUbELShM6MaTnB9c9t72T+Q9h4AqOnSpj7hQ4CpCs5t7dmotgbO7SIFRolrhRxw= X-Received: by 2002:a24:fa04:: with SMTP id v4-v6mr2575513ith.126.1529864985741; Sun, 24 Jun 2018 11:29:45 -0700 (PDT) Original-Received: by 2002:a02:c4d5:0:0:0:0:0 with HTTP; Sun, 24 Jun 2018 11:29:24 -0700 (PDT) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4001:c0b::231 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:226670 Archived-At: --000000000000078e22056f6773b9 Content-Type: text/plain; charset="UTF-8" > > > I'm not quite sure I follow you here. OCSP is the online query stuff, > and is something that gnutls doesn't do, I think, and which is probably > not something we want to do either. (Chrome doesn't, for instance.) > > GnuTLS has had the ability to do OCSP since 3.1.3 released back in 2012. This is how you do it according to the manual. Chrome's primary check OOTB is its own curated CRLSet, but it does use OCSP for some EV certs, and relies on the underlying library to do OCSP . You can also enable it in Chrome if you want. > But a certificate revocation list is something we could consider > distributing via ELPA, but that's a bigger project... > > No. Emacs has a defined list of CA bundle PEM files (`gnutls-trustfiles`) it looks for now, the same can be done for CRL files. Users can periodically update their CA bundle and CRL bundle. The CA bundle on *nix is typically Mozilla's, which is covered by the default list in `gnutls-trustfiles`. A complete list of CRL in PEM format typically don't exists on most systems, but can be generated with `igtf-ca-bundle` + `fetch-crl`. I just generated them on macOS via MacPorts, Linux should also be a matter of installing a few packages and running `fetch-crl`. > Or do you mean OCSP stapling? There's so much going on in this area > (because it's a clusterfuck to begin with) that it can be challenging > keeping track. :-) > > Nah, it's just a couple more lines of C code. See GnuTLS's manual on OCSP above. --000000000000078e22056f6773b9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

I'm not quite sure I follow you here.=C2=A0 OCSP is the online q= uery stuff,
and is something that gnutls doesn't do, I think, and which is probably=
not something we want to do either.=C2=A0 (Chrome doesn't, for instance= .)


GnuTLS has had the ability to do OCSP = since 3.1.3 released back in 2012. This is how you do it according to the manual.

Chrome's primary check OOTB is its own curated CRLSet, but i= t does use OCSP for=C2=A0some EV certs, and relies on the underlying librar= y to do OCSP. You can also enable it in Chrome if you want.
<= br>
=C2=A0
But a certificate revocation list is something we could consider
distributing via ELPA, but that's a bigger project...


No. Emacs has a defined list of CA bun= dle PEM files (`gnutls-trustfiles`) it looks for now, the same can be done = for CRL files. Users can periodically update their CA bundle and CRL bundle= . The CA bundle on *nix is typically Mozilla's, which is covered by the= default list in `gnutls-trustfiles`. A complete list of CRL in PEM format = typically don't exists on most systems, but can be generated with `igtf= -ca-bundle` + `fetch-crl`. I just generated them on macOS via MacPorts, Lin= ux should also be a matter of installing a few packages and running `fetch-= crl`.
=C2=A0
Or do you mean OCSP stapling?=C2=A0 There's so much going on in this ar= ea
(because it's a clusterfuck to begin with) that it can be challenging keeping track.=C2=A0 :-)

<= br>
Nah, it's just a couple more lines of C code. See GnuTLS&= #39;s manual on OCSP above.
=C2=A0
--000000000000078e22056f6773b9--