From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Ted Zlatanov Newsgroups: gmane.emacs.devel Subject: Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking. Date: Thu, 09 Oct 2014 09:10:17 -0400 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Message-ID: References: <1412716565-7786-1-git-send-email-toke@toke.dk> <87tx3emvwv.fsf@alrua-karlstad.karlstad.toke.dk> <87lhoqzdzv.fsf@toke.dk> Reply-To: emacs-devel@gnu.org NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Trace: ger.gmane.org 1412860276 10076 80.91.229.3 (9 Oct 2014 13:11:16 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 9 Oct 2014 13:11:16 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Oct 09 15:11:10 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XcDUr-0007U0-85 for ged-emacs-devel@m.gmane.org; Thu, 09 Oct 2014 15:11:09 +0200 Original-Received: from localhost ([::1]:42457 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XcDUq-0004Mw-Lb for ged-emacs-devel@m.gmane.org; Thu, 09 Oct 2014 09:11:08 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:39168) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XcDUh-0004Mq-TB for emacs-devel@gnu.org; Thu, 09 Oct 2014 09:11:05 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XcDUa-0006JP-Tw for emacs-devel@gnu.org; Thu, 09 Oct 2014 09:10:59 -0400 Original-Received: from plane.gmane.org ([80.91.229.3]:37544) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XcDUa-0006JL-Ns for emacs-devel@gnu.org; Thu, 09 Oct 2014 09:10:52 -0400 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1XcDUQ-0007FF-MO for emacs-devel@gnu.org; Thu, 09 Oct 2014 15:10:42 +0200 Original-Received: from 198.0.146.153 ([198.0.146.153]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 09 Oct 2014 15:10:42 +0200 Original-Received: from tzz by 198.0.146.153 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 09 Oct 2014 15:10:42 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 31 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 198.0.146.153 X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6; d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" Mail-Copies-To: never User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.50 (darwin) Cancel-Lock: sha1:Mz0FtYi8W5eGCvFBp4kRjGNzCwQ= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:175183 Archived-At: On Wed, 08 Oct 2014 19:07:48 +0200 Toke Høiland-Jørgensen wrote: TH> Lars Magne Ingebrigtsen writes: >> Well, I kinda think the TOFU stuff is a fine band-aid, but we really >> need a suture here, and the band-aid really sounds like it would more >> get in the way of getting what we really need. :-) TH> Yeah, well for right now I'm in the band-aid making business I guess :) TH> Resubmitted the updated patch and will return once I have some time for TH> making sutures... Toke and Lars, I would really appreciate it if you could review this thread, which was my preliminary research in 2010 on how we could store and verify certificates, with comments from Nikos (the maintainer of GnuTLS). It predates the TOFU features. http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4580 Lars, I think it would be smart to resume that conversation and ask the GnuTLS guys about Toke's approach vs. the oversight-from-ELisp approach you suggested. I think Eli is on the GnuTLS mailing list and perhaps others will join in. Either way, I think the TOFU functions will at least have to be exposed to ELisp when they are available so the certificate UI can use them. So I can break Toke's patch in two pieces for that purpose, if that's OK with everyone, and apply the part I know we'll need. Thanks Ted