Re: A couple of questions and concerns about Emacs network security

[Jimmy Yuen Ho Wong]

On Sun, Jul 8, 2018 at 6:06 PM Paul Eggert <address@hidden> wrote:
>
> Jimmy Yuen Ho Wong wrote:
> > If you are thinking about renaming the "Default" tag in
> > `gnutls-min-prime-bits` 's defcustom, don't. I will start doubting
> > whether you are doing this under good faith
>
> There's no need to be using ad hominem language like that. Assume that we are
> miscommunicating, as this is the obvious and most likely explanation for the
> behavior you're observing. Indulging in attacks will make your efforts less
> likely to succeed.

I have been quite lenient to everyone as I'm trying to figure a lot of
things myself. But sometimes, when there's clearly no good reason to
do a something, but still insisting on doing it, especially when it
comes to security matters, you have to resolve to the last resort,
which is start doubting whether you are dealing with a friend or an
adversary.

I would urge a little less stubborness in changing some of the defaults.

If I've given the impression that setting `gnutls-min-prime-bits` to
256 will make the connection to use a 256 bit prime, I apologize. I
don't think I have done that since the very beginning of this thread,
but I haven't clarified myself enough, here's my sincere apology. I
only believe this is a UI issue, which may have some security
consequences.

The last thing I would suggest to Lars is, `gnutls-verify-error` will
effectively bypass NSM, so please don't pretend NSM is the be-all and
end-all layer for all matters related to Emacs' network security. It's
not, not until you consent to removing or changing some of the
standard values of the defcustoms in the 'gnutls group, or better yet.
Merge NSM and GnuTLS together, and rename some of the `gnutls group's
options. i.e. (define-obsolete-variable-alias 'gnutls-verify-error
'nsm-bypass' "27.1"). Better UI/UX/DX design is almost always more
preferrable than documentation.