Re: [Bug-wget] [PATCH] GnuTLS support in 1.12

[Micah Cowan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ludovic Courtès wrote:
> Hi,
> 
> [Feel free to resend to the list if you did not intend your message to
> be private.]

Whoops! I did indeed. My Reply versus Reply-All skills seem to be
rapidly declining in my middle age. ;)

> Micah Cowan <address@hidden> writes:
> 
>> Ludovic Courtès wrote:
>>> Now, when using OpenSSL, certificates are checked against what?
>> The hostname of the site that is attempting to use it as a certificate
>> of authenticity. And of course, the root CAs whose certificates are
>> installed on the system.
> 
> That’s what I wanted to hear.  ;-)
> 
> The whole hierarchical model depending on a small set of “root
> certification authorities” isn’t very appealing to me.  I’m interested
> in using certificates to make sure that the domain-name/key-pair binding
> does not change over time–IOW that the people behind the domain name
> remain the same.
> 
> However, it’s not very useful to me to know whether some self-appointed
> “certificate authority” says it approves that domain/key binding.

Well, I can sympathize with that (most especially since certain CAs tend
to charge extortionist prices); however, that's why the user is always
free to choose his own "CAs", and install whatever root certs phe sees fit.

That said, Wget currently does a poor job of providing facilities for,
say, automatically caching "user-approved" certs and the like. That
might make an interesting GSoC project for next year...

- --
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer.
Maintainer of GNU Wget and GNU Teseq
http://micah.cowan.name/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkrKJ90ACgkQ7M8hyUobTrEDOQCeIXibPwA7OmyzVSgMFHarOj3U
r0IAn0SClrUQm3fFER1WvjB1CUlBVmhR
=cxh7
-----END PGP SIGNATURE-----