[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Network security manager

From: Lars Magne Ingebrigtsen
Subject: Re: Network security manager
Date: Wed, 19 Nov 2014 09:46:12 +0100
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

Ted Zlatanov <address@hidden> writes:

> What do you think about the verification and TOFU implementation in
> gnutls-cli? Please see
> https://gitorious.org/gnutls/gnutls/raw/master:src/cli.c inside
> cert_verify_callback() for the details.
> * uses SSH-style gnutls_store_pubkey() and gnutls_verify_stored_pubkey()
>   to DTRT and pins the public key rather than the certificate
>   fingerprint. The pub keys are stored by default in a way that lets the
>   user look them up by hostname, but we can customize that. And it's
>   mostly handled by GnuTLS internals as far as pubkey extraction and
>   verification.
> * does DANE auth (although I don't know the details on DANE, the
>   client implementation looks reasonable and Toke suggested it)
> * checks OCSP for revocations using cert_verify_ocsp() in the same cli.c

So gnutls proper doesn't do this?  We'd have to implement it ourselves
if we want it...  (I mean, copy chunks of their code.  >"?)

Can we do DANE and OCSP from Emacs Lisp?

(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

reply via email to

[Prev in Thread] Current Thread [Next in Thread]