[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From: Jimmy Yuen Ho Wong
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Sun, 8 Jul 2018 19:54:16 +0100

> Some people want these checks on the TLS level, and that's why those
> checks exist.  It's perfectly reasonable for a user with a specific need
> (for instance, to talk to a particularly ornery old private SSL 0.9
> server) to use the gnutls functions and variables directly when
> implementing their solution.

It's not about what they want, but about what to give them so they can
accomplish what they want to do without getting confused by the
contradictary docs, and reading the source code. The pretense of NSM
taking care of all network security matters does not match the
reality. And from the sense I get, there's no intention to turn that
ideal into reality either. Nobody is talking about taking away
functionality here. You can remove/replace/rename/change things and
still provide equivalent functionality.

> That's why these things are layered.  gnutls is a low-level library that
> allows tweaking certain things about the connections it provides.
> The NSM is a high-level user facing library.  Merging the two doesn't
> seem to make much sense.
> Both here and in other places in this thread you seem to fixate on the
> particular use cases you're interested in to the extent that you say
> that other use cases are wrong, somehow.  People have different needs
> and different approaches, and Emacs should empower them to get their
> work done, and not pressure them into doing it the way we think they
> should do it.

We are talking about what should be the defaults here, as I've said in
that giant email a couple of days ago, you can have both reasonable
OTTB settings and freedom. If you haven't read it, I urge you to.

How about this, I'll be satisfied if we append :group 'nsm on the
gnutls defcustoms, so they show up on both the gnutls customize group
**and** nsm, and document in the docstrings the effects to NSM checks
if you mess with these GnuTLS settings? This doesn't sound too drastic
and saves users from having to dig around 2 different places or
resolve to trial and error to figure out there interactions.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]