[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking.

From: Lars Magne Ingebrigtsen
Subject: Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking.
Date: Wed, 08 Oct 2014 15:25:43 +0200
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.50 (gnu/linux)

Eli Zaretskii <address@hidden> writes:

> So you want to return a descriptor for a connection that failed
> certificate validation, and let the application handle that?

The other option is to have the C layer close the connection, signal an
error, have `open-network-stream' query the user about the invalid
certificate, the user says "connect anyway", and then we'd reconnect
with other options.

That seems less ... convenient.

> That could work, but I don't know what security-wary people here will
> tell about keeping such connections.

I think I know.  >"?

But there should be no further security implications, really.  If you're
using `open-network-stream'.  If you're using the low-level C functions
yourself, you have to respond to the invalid certificate yourself, but
why would you?

We're just moving the certificate handling up to the Lisp level --
nothing more.

(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

reply via email to

[Prev in Thread] Current Thread [Next in Thread]