[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Default value of tls-checktrust should be 'ask
From: |
Sascha Wilde |
Subject: |
Re: Default value of tls-checktrust should be 'ask |
Date: |
Tue, 08 Apr 2008 15:04:09 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (gnu/linux) |
Jason Rumney <address@hidden> wrote:
> Sascha Wilde wrote:
>>> We should also provide an easy way to insert the certificate into a
>>> local trust store (ie 'ask will allow "always" and "never" as well as
>>> "yes" and "no" answers) , to give the power over who to trust back to
>>> the users, rather than allowing companies like Verisign to monopolise
>>> it. Does gnutls have a local per user store we can use for this?
>>
>> No need for this, you can always add (or remove) any CAs root
>> certificate, see tls-checktrust docstring for examples on how to
>> configure a specific root-cert collection. (and of cause the
>> documentation for gnutls for further details.)
>
> How does the docstring of tls-checktrust solve the problem? There is
> no convenient UI for trusting individual server certificates,
I agree that an UI for managing trusted (root)certificates would be
convenient. But to implement it will need some serious afford.
Anyway its orthogonal to the default value of tls-checktrust which IMO
should be changed even if it means that the new default is a bit less
convenient, because the current default is dangerous.
sascha
--
Sascha Wilde
Hi! I'm a .signature *virus*! Copy me into your ~/.signature to help me spread!