gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: recommendations for storage of accepted certificates

From: Nikos Mavrogiannopoulos
Subject: Re: recommendations for storage of accepted certificates
Date: Sun, 03 Oct 2010 08:34:48 +0200
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8 
On 10/02/2010 05:45 PM, Ted Zlatanov wrote:

> NM> The best alternative would be to store for every server the
> NM> corresponding certificate and during next connection verify that it
> NM> remained the same.
> OK.  The question is then where to store it.  Emacs can handle all the
> file interactions but I wondered if there's a convention
> (e.g. $HOME/.certs or some such) where I can drop those certificates.
> I'll call it $CERTDROP below.

I don't think there is a standard location for that. I'd put it in a DB
file (gdbm or so).

> 1) set up a conventional place where Emacs will drop accepted
> certificates, $CERTDROP/*.pem

If you're talking about server certificates I'd use:
servername.pem, instead of loading it with the trusted certificate root.

> 3) set up a facility within the Emacs GnuTLS support to accept and store
> unknown server certificates.  What function in the GnuTLS API can I use
> to provide this?  I can't find the right way in the docs or in the
> examples, sorry.

What do you mean by unknown server? Do you mean known but untrusted? In
any case gnutls doesn't provide such facility for any of them. It was
considered to be application specific (now I'm looking for a solution to
that using pkcs11, but wouldn't be available soon).

regards,
Nikos
reply via email to
[Prev in Thread] Current Thread [Next in Thread]