Re: Emacs core TLS support

[Ted Zlatanov]

On Tue, 14 Sep 2010 21:10:52 +0200 Lars Magne Ingebrigtsen <address@hidden> 
wrote: 

LMI> Nikos Mavrogiannopoulos <address@hidden> writes:
>>> What ca.pem should I use?  There's one in GnuTLS and one in
>>> /etc/ssl/certs/ca.pem on my Ubuntu system.  It should Just Work so it
>>> may make sense to ship ca.pem with Emacs.  WDYT?
>> 
>> This is local policy, I don't think that it has to be shipped with
>> emacs. Just give the option of someone specifying it.

LMI> I don't know how tls stuff works at all, but if a certificate is needed
LMI> for basic usage, then it should be shipped with Emacs.

On my Ubuntu system I get 142 CA certificates out of
/etc/ssl/certs/ca-certificates.crt and one out of /etc/ssl/certs/ca.pem.
So the former seems like a better starting point IIUC.  It seems like
this should be part of the configure process: if GnuTLS is enabled, look
for a certificate bundle (allowing an override).  Then build a merged
bundle out of the local one plus whatever Emacs ships by default and
make that the default certificate bundle (the user can override that in
gnutls.el at runtime, of course).  See
http://lynx.isc.org/current/README.sslcerts for an example of how we
could explain this to the Emacs users.

Should Emacs blindly trust all the certificates in the local policy?

Ted