Re: using GnuTLS 3.x and certificate checks

[Christopher Schmidt]

Ted Zlatanov <address@hidden> writes:
> CS> I think a verification mechanism should run unattended without
> CS> user interaction whatsoever.  What's your use case for an
> CS> interactive verification snippet?
>
> TZ> How else could a user accept a previously unknown certificate?
>
> Ping?  Any ideas?

I don't know.  I don't think there is a common use case, though.

Those folks who set up their own verification or pinning mechanism in
favour of a ca-certificates.crt provided by the operating system usually
apply extra careful scrutiny and caution on all aspects of the
certificates.  Accepting new certificates on-the-fly via interactive
minibuffer queries is not a good idea.  I assume most folks would want
to abort the handshake and take a look at the full dump of all the certs
in the chain.

Check the Screenshots of Certificate Patrol.

    https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/

I, for one, don't need or want any interactive query in case
verification fails.  An user-error or returning an error status is
enough.  (I already implemented certificate pinning support by
substituting open-network-stream with my own implementation.  If
verification fails, the cert's received are printed to the
*Messages*-buffer and the connection is killed.  My investigations
continues outside Emacs with the help of gnutls-cli --print-cert and
certtool.  This system is easy to maintain, does not cause much trouble
and I don't have any complains so far.)

        Christopher