Re: A couple of questions and concerns about Emacs network security

[Jimmy Yuen Ho Wong]

I'm not quite sure I follow you here.  OCSP is the online query stuff,
and is something that gnutls doesn't do, I think, and which is probably
not something we want to do either.  (Chrome doesn't, for instance.)

GnuTLS has had the ability to do OCSP since 3.1.3 released back in 2012. This is how you do it according to the manual.

Chrome's primary check OOTB is its own curated CRLSet, but it does use OCSP for some EV certs, and relies on the underlying library to do OCSP. You can also enable it in Chrome if you want.

 

But a certificate revocation list is something we could consider
distributing via ELPA, but that's a bigger project...

No. Emacs has a defined list of CA bundle PEM files (`gnutls-trustfiles`) it looks for now, the same can be done for CRL files. Users can periodically update their CA bundle and CRL bundle. The CA bundle on *nix is typically Mozilla's, which is covered by the default list in `gnutls-trustfiles`. A complete list of CRL in PEM format typically don't exists on most systems, but can be generated with `igtf-ca-bundle` + `fetch-crl`. I just generated them on macOS via MacPorts, Linux should also be a matter of installing a few packages and running `fetch-crl`.

 

Or do you mean OCSP stapling?  There's so much going on in this area
(because it's a clusterfuck to begin with) that it can be challenging
keeping track.  :-)

Nah, it's just a couple more lines of C code. See GnuTLS's manual on OCSP above.