emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: master 91c732f: Always check for client-certificates


From: Michael Welsh Duggan
Subject: Re: master 91c732f: Always check for client-certificates
Date: Tue, 19 Nov 2019 01:48:00 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)

Robert Pluim <address@hidden> writes:

>>>>>> On Mon, 18 Nov 2019 17:38:42 +0200, Eli Zaretskii <address@hidden> said:
>
>     >> From: Robert Pluim <address@hidden>
>     >> Date: Mon, 18 Nov 2019 10:06:19 +0100
>     >> Cc: Dmitry Alexandrov <address@hidden>, address@hidden
>     >> 
>     Lars> I didn't realise that this would mean accessing the .authinfo.gpg 
> file
>     Lars> by default for https connections.  I don't think that's a
>     Lars> good idea, so
>     Lars> network-stream-use-client-certificates has to default to nil.
>     >> 
>     >> I can flip the default if thatʼs the consensus.
>
>     Eli> If everyone agrees with Lars, then we have a consensus.  But if you
>     Eli> disagree, I'd like to hear your arguments (and anyone else's really),
>     Eli> before we decide what is the consensus.
>
> I'm doubly biased: I implemented it, and I read email in Emacs, so
> .authinfo.gpg gets decrypted for me anyway, so having it done for eww
> or package-list-packages is a no-op, which means I disagree, but not
> strongly.
>
> The reason for the feature is to make it easy to use certificates:
> just add the right stuff to .authinfo.gpg, and everything else happens
> by itself, much like usernames/passwords when sending
> email.
>
> Defaulting it to off means more configuration burden on the user.
> Defaulting it to on means that some people who object to it need to
> customize auth-sources and/or network-stream-use-client-certificates.

Would it be difficult (or a bad idea) to make it such that the first
time someone uses a package that might want to use .authinfo.gpg for
private information, a separate prompt comes up asking whether people
want to load their .authinfo.gpg this time, not this time, every time
(and don't ask again), or never (and don't ask again)?  This one prompt
can be verbose, popping up a window with an explanation, with the
understanding that the user can make an informed choice and not have to
do this again.  This may be clunky, but this is the simplest way I can
think of to "have your cake and eat it too."

This seems similar to the "how do I set up email to work the first time
when I send an Emacs bug report" problem.  It also is similar to the
sort of thing that is done when someone visits a site with self-signed
certificates and suchlike.

-- 
Michael Welsh Duggan
(address@hidden)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]