Re: emacs-26 3302b7c: Mention the NSM in the gnutls variable doc strings

Re: emacs-26 3302b7c: Mention the NSM in the gnutls variable doc strings

[Robert Pluim]

larsi@gnus.org (Lars Ingebrigtsen) writes:
> @@ -111,7 +123,14 @@ number with fewer than this number of bits, the handshake is
>  rejected.  \(The smaller the prime number, the less secure the
>  key exchange is against man-in-the-middle attacks.)
>  
> -A value of nil says to use the default GnuTLS value."
> +A value of nil says to use the default GnuTLS value.
> +
> +The default value of this variable is such that virtually any
> +connection can be established, whether this connection can be
> +considered cryptographically \"safe\" or not.  However, Emacs
> +network security is handled at a higher level via
> +`open-network-stream' and the Network Security Manager.  See Info
> +node `(emacs) Network Security'."
>    :type '(choice (const :tag "Use default value" nil)
>                   (integer :tag "Number of bits" 512))
>    :group 'gnutls)

So gnutls-min-prime-bits is still 256, but the NSM on its default
'medium' level will complain if it negotiates < 1024? Would it not
make more sense to set it to nil then? People who really need it at
256 can set it to that (and it should really be settable per-host, but
thatʼs a different issue).

Regards

Robert

Re: emacs-26 3302b7c: Mention the NSM in the gnutls variable doc strings

[Lars Ingebrigtsen]

Robert Pluim <rpluim@gmail.com> writes:

> So gnutls-min-prime-bits is still 256, but the NSM on its default
> 'medium' level will complain if it negotiates < 1024? Would it not
> make more sense to set it to nil then? People who really need it at
> 256 can set it to that (and it should really be settable per-host, but
> thatʼs a different issue).

No, that's the same issue.  We leave this up to the NSM exactly so that
users can decide themselves, on a per-host basis, whether to go through
with the connection or not.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: emacs-26 3302b7c: Mention the NSM in the gnutls variable doc strings

[Robert Pluim]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Robert Pluim <rpluim@gmail.com> writes:
>
>> So gnutls-min-prime-bits is still 256, but the NSM on its default
>> 'medium' level will complain if it negotiates < 1024? Would it not
>> make more sense to set it to nil then? People who really need it at
>> 256 can set it to that (and it should really be settable per-host, but
>> thatʼs a different issue).
>
> No, that's the same issue.  We leave this up to the NSM exactly so that
> users can decide themselves, on a per-host basis, whether to go through
> with the connection or not.

I should have read the mega-thread first :-)

Regards

Robert