Re: Network security manager

[Toke Høiland-Jørgensen]

Ted Zlatanov <address@hidden> writes:

> This was discussed recently here and in the GnuTLS mailing list. With
> the default settings in Emacs, it's not vulnerable to POODLE.

Well it could also be something like warning when Perfect Forward
Security is not available (for instance). However, as long as
gnutls-algorithm-priority keeps working I can live with that. :)

> TH> Finally, doing DANE verification (and trusting that more than the CA)
> TH> would be nice; but not sure how viably it is presently.
>
> Can you clarify?  What are the requirements and benefits in your
> opinion?

Well, DANE allows for storing certificate info in DNS and verifying its
integrity with DNSSEC. This has the nice property that no CA is needed,
and can give as good or stronger guarantees on cert integrity as
verifying against a CA can.

The downside is that it's not terribly widely deployed yet, and also
that it requires working DNSSEC support to work.

> True, but I really don't see the harm in saving those in cleartext.
> Like I said, I would use a .gpg file if I was worried about leaking
> that data. With the current approach I think you'll see two problems:

Tangentially related, one thing I would like to be able to have, is to
have multiple fingerprints stored for the same host,post tuple *at the
same time*. I run into this problem with servers that do round-robin to
different servers with different certs for the same hostname. I'd like
to be able to store all of them at once (by, for instance, connecting a
bunch of times and trusting the certificates one by one, and then know
that after that a mismatch should be considered suspicious).

-Toke