Re: NSM certificate prompt

[Eli Zaretskii]

> From: Ted Zlatanov <address@hidden>
> Date: Sat, 13 Dec 2014 14:47:32 -0500
> 
> I'd make it the default, but through the trustfiles list: if the symbol
> 'system is found in the list, we load the system trust. And that's the
> default.  But the user can add their own trustfiles, as they do now.

What would be the reason for the user to remove 'system from the list?
If a user is somehow not happy about system trust data, she should
customize her system (if she is authorized), not Emacs.  E.g., add a
list of blacklisted certificates, remove certificates from the bundle,
etc.

> EZ> What about Posix systems -- won't calling
> EZ> gnutls_certificate_set_x509_system_trust remove the need to load
> EZ> gnutls-trustfiles explicitly for every TLS connection?
> 
> I think the user should be able to customize the trustfiles so the two
> are not exclusive.

To add certificates, I agree.  But to remove certificates through
Emacs?  That sounds backwards to me.

> I don't know about once-per-connection either, is that a GnuTLS
> feature with gnutls_certificate_set_x509_system_trust()?

No, I meant that we do this inside gnutls-boot, which AFAIU is invoked
for each new TLS connection.