From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: `guix pull` over HTTPS
Date: Tue, 28 Feb 2017 00:46:16 -0500
Message-ID: <20170228054616.GA28504@jasmine>
References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine>
	<87fujmcb6w.fsf@gnu.org>
	<87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<87inoh660r.fsf@gnu.org>
	<874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<871sv44x97.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60427)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1ciacE-0006W8-Hy
	for guix-devel@gnu.org; Tue, 28 Feb 2017 00:46:27 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1ciacA-0000vN-2P
	for guix-devel@gnu.org; Tue, 28 Feb 2017 00:46:26 -0500
Content-Disposition: inline
In-Reply-To: <871sv44x97.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ludovic =?iso-8859-1?Q?Court=E8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org


--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Court=E8s wrote:
> Marius Bakke <mbakke@fastmail.com> skribis:
> > I think having a separate 'le-certs' package that can verify the Lets
> > Encrypt chain sounds like the easiest option. Presumably new
> > intermediates etc will be known well in advance.
>=20
> That sounds more reasonable to me.  Do you know what it would take to
> get the whole LE chain in such a package?  Would you like to give it a
> try?

I tried it. The next intermediate (also called the "backup") is already
known.

I've made it available here:

https://github.com/lfam/le-certs

You can try it out:

$ echo | openssl s_client -CAfile /tmp/le-certs/le-certs.pem -CApath /tmp/l=
e-certs -connect git.savannah.gnu.org:443

Your feedback is requested!

--VS++wcV0S1rZb1Fb
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli1DqcACgkQJkb6MLrK
fwhH+w/7B2/zGeQbbzQ2XzFfx5YksX6US8Zf0vtxVIGyUP3kBEClXHcWqv/PTFhn
l7ybhFRWLQF9ULinNa81hfYeKhtVRHeP+nxJtzjZcjd96UUmKT1jOxTCLcXzN9FD
5rY1ywNVDkd/BV6rSbnUslEdn7jAZx3PS2wxRdHmJB60cjD5UTDdgFdwcKwkPNo9
WdNUM7oPOBgv7ph6gLjzWZuMoDVM7ExqZAZ7TBpEcx9SniSvuNBCKGrccp7ILFQ9
cX3uLB/YV0LSAN9x+S8KitG3Q57zD6ZDFn4vlwCqLYlpTglLuaDedf6v/k0B6Anj
0i8Y8dIXKWWQarHFqQVF+29CCsWVHm4nj50TqUrC6HPz2xFCerpWM68ufIID1Nlv
wcXOkJQj1u6P3Qy8BtQLkvYVhiilhir5Hm0lsDdewL5+cSHDch1qt2KQyYzJeqgK
s6fGKZjA1KHj949iG44raCv21y4VbHqtvuSeVFqzAfs86F2PwlOEngUDGzAibSMX
WQ4BElu2iGjpVFJKTJWnEkeKs+Dq4GVB/s8KPM281NrMvBVK8H0eSrCwrvGI7VL4
4ja/9x0W+hefjWkMDHALaZFaSIw7V7OLN8Jia8IKiDUi3KbgNon9x37jmHuzdHtc
j8H5nVRylwAgrvUYfa7zM9nFrRZu/ZgME7BZWg35+9VOaichTAA=
=hs90
-----END PGP SIGNATURE-----

--VS++wcV0S1rZb1Fb--