Re: Network security manager

[Lars Magne Ingebrigtsen]

Ted Zlatanov <address@hidden> writes:

> What do you think about the verification and TOFU implementation in
> gnutls-cli? Please see
> https://gitorious.org/gnutls/gnutls/raw/master:src/cli.c inside
> cert_verify_callback() for the details.
>
> * uses SSH-style gnutls_store_pubkey() and gnutls_verify_stored_pubkey()
>   to DTRT and pins the public key rather than the certificate
>   fingerprint. The pub keys are stored by default in a way that lets the
>   user look them up by hostname, but we can customize that. And it's
>   mostly handled by GnuTLS internals as far as pubkey extraction and
>   verification.
>
> * does DANE auth (although I don't know the details on DANE, the
>   client implementation looks reasonable and Toke suggested it)
>
> * checks OCSP for revocations using cert_verify_ocsp() in the same cli.c

So gnutls proper doesn't do this?  We'd have to implement it ourselves
if we want it...  (I mean, copy chunks of their code.  >"?)

Can we do DANE and OCSP from Emacs Lisp?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no