gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: recommendations for storage of accepted certificates

From: Nikos Mavrogiannopoulos
Subject: Re: recommendations for storage of accepted certificates
Date: Sat, 02 Oct 2010 08:51:18 +0200
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8 
On 10/01/2010 09:50 PM, Ted Zlatanov wrote:
> I want to store the server certificates that the user accepts.  This is
> inside Emacs so I have easy access to file editing and all the other
> nifty Emacs Lisp functions.
> 
> Can I generate a trust file? 

Of course you can. Just store the trusted certificates in PEM format.
However there you place trusted CAs thus any CA you store could verify
potentially any server which is quite dangerous and might not be what
you want.

The best alternative would be to store for every server the
corresponding certificate and during next connection verify that it
remained the same.

> Currently the trust file is the one that
> comes with the OS but I could make a user-specific one and copy the OS
> trust file contents into the user's.  Or is the trust file only a bundle
> of certificate authorities?  I can't find documentation on the format.

If you go with the 1st approach, you don't really need to store the
system file to the user one. You can call
gnutls_certificate_set_x509_key_file() multiple times (one to load the
system and one more for the user).

regards,
Nikos
reply via email to
[Prev in Thread] Current Thread [Next in Thread]