Re: Additional network security

[Ted Zlatanov]

On Sun, 07 Dec 2014 14:35:30 +0900 "Stephen J. Turnbull" <address@hidden> 
wrote: 

SJT> Stefan Monnier writes:
>> > GnuTLS doesn't really set policy here; that's up to the application.
>> 
>> Damn!

SJT> Welcome to the wild world of security.  Can't if you do, damned if you
SJT> don't.

Fortunately, it's not up to the application either. The user can choose
their policy:

gnutls-algorithm-priority is a variable defined in `gnutls.el'.
Its value is nil

Documentation:
If non-nil, this should be a TLS priority string.
For instance, if you want to skip the "dhe-rsa" algorithm,
set this variable to "normal:-dhe-rsa".

Given this precedent, I think it would make sense to offer some
fine-grained control over NSM checks as well, similar to
`gnutls-verify-error' as I mentioned.  We've gone Lispy with the NSM
configuration, but if we were consistent with the GnuTLS approach, the
NSM tuning would be simply a string like "paranoid:-crazy" (paranoid but
not crazy, heh heh).  This is still possible:

* map a symbol to its symbol-name
* parse NSM security levels like GnuTLS priority strings
* allow setting these strings per host regex
* PROFIT

WDYT?

Ted