Re: [PATCH RFC] GnuTLS: Support TOFU certificate checking.

[Ted Zlatanov]

On Wed, 08 Oct 2014 19:07:48 +0200 Toke Høiland-Jørgensen <address@hidden> 
wrote: 

TH> Lars Magne Ingebrigtsen <address@hidden> writes:
>> Well, I kinda think the TOFU stuff is a fine band-aid, but we really
>> need a suture here, and the band-aid really sounds like it would more
>> get in the way of getting what we really need. :-)

TH> Yeah, well for right now I'm in the band-aid making business I guess :)

TH> Resubmitted the updated patch and will return once I have some time for
TH> making sutures...

Toke and Lars, I would really appreciate it if you could review this
thread, which was my preliminary research in 2010 on how we could store
and verify certificates, with comments from Nikos (the maintainer of
GnuTLS). It predates the TOFU features.

http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4580

Lars, I think it would be smart to resume that conversation and ask the
GnuTLS guys about Toke's approach vs. the oversight-from-ELisp approach
you suggested. I think Eli is on the GnuTLS mailing list and perhaps
others will join in.

Either way, I think the TOFU functions will at least have to be exposed
to ELisp when they are available so the certificate UI can use them. So
I can break Toke's patch in two pieces for that purpose, if that's OK
with everyone, and apply the part I know we'll need.

Thanks
Ted