Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking.

[Toke Høiland-Jørgensen]

Lars Magne Ingebrigtsen <address@hidden> writes:

> Then the management of this could be done at a higher level, which
> would be `open-network-stream'.

Right, so (just to make sure I'm understanding you right), what you
propose is to get rid of all the current validation logic in C (i.e the
erroring out) and just return something like (<cert hash> <cert
hostname> <CA validity status>) -- and then make the lisp code work out
the rest?

Right now it seems the C code refuses to even return the opened network
stream object if validation fails; with this, that would have to change,
and the C code wouldn't make any policy decisions?

-Toke