Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking.

[Toke Høiland-Jørgensen]

Lars Magne Ingebrigtsen <address@hidden> writes:

> I think all the certificate checking should just work out of the box
> without the user having to do any configuration or shell commands.
> I.e., it should be done by `open-network-stream'.

Right, I can definitely see the point of that, and ultimately this is
definitely desirable. The GnuTLS TOFU mode could be a way to do the
heavy lifting of certificate fingerprint storing and verification etc.

I don't think I'm sufficiently familiar with the innards of
open-network-stream to implement this, sorry. However, if you agree this
could be a reasonable building block for the user-facing functionality I
could rework the patch to (a) signal an appropriate error code when
verification fails and (b) add a parameter to add the certificate to the
trust chain. The lisp code could then use this functionality (by passing
the appropriate parameters to gnutls-boot) to implement the user-facing
y/no/maybe/whatever on top of it.

This would allow me to scratch my own itch (getting basic TOFU support
for me to put into gnutls-verify-error) while at the same time
contributing something to the overall problem.

Would you be interested in such a patch? :)


Also, I'll add that TOFU can also be used to ensure stronger trust than
just checking that the certificate validates; it can also be used for
certificate pinning to ensure that it doesn't change. This is what I use
it for personally, and I consider it a nice added security...

-Toke