bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#19404: 25.0.50; Gnus shows self-signed certificate warning when conn

From: David Engster
Subject: bug#19404: 25.0.50; Gnus shows self-signed certificate warning when connecting to Gmane
Date: Fri, 19 Dec 2014 17:55:19 +0100
User-agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3.91 (gnu/linux) 
Lars Ingebrigtsen writes:
> Eli Zaretskii <eliz@gnu.org> writes:
>
>>> It simply means: "The certificate’s issuer is not known. This is the
>>> case if the issuer is not included in the trusted certificate list."
>>
>> I suggest that we say something like this, indeed.
>
> However, this means nothing to people who don't know what it already
> means, while "self-signed" is something that more people understand.

You wish...

> But the suggestion to only suggest that the certificate may be
> self-signed if the issuer and host name are the same may help a bit.
> There's quite a few self-signed sites out there where that's not the
> case, though.

The host name has nothing to do with a certificate being self-signed or
not. Forget actual servers for a moment and look only at the
certificate. There's an 'issuer' and a 'subject'. Both contain
identities in the form of a string like

  /C=NO/ST=Some-State/O=Gmane/CN=news.gmane.org

As you can see, part of that string is the "common name" (CN), which can
be a hostname (maybe with a wildcard), an email address, etc. Whoever
has the private key for that certificate claims the identity for that
CN.

The 'issuer' is the identity who signed that certificate with its own
private key. In real life this should mean that the issuer made sure
that the person who created that certificate with this CN is actually
the administrator for that server, or the person with that e-mail
address.

If a certificate is "self-signed", this means that issuer and subject
are the same entity, i.e., the string in there is identical. There are
some rules how these strings must be compared. I think(!) that if you
simply compare them byte by byte, you should err on the side of
safety. But I would assume there is a function for that in GnuTLS that
adheres to RFC5280 for comparing such things.

As to what messages we should emit in such cases, I think we should
simply say what Firefox says: "The certificate is not trusted because it
is self-signed."

-David
reply via email to
[Prev in Thread] Current Thread [Next in Thread]