Re: A couple of questions and concerns about Emacs network security

[Jimmy Yuen Ho Wong]

Here's the updated patch.

Suggested material to include in the manual or NEWS:

Emacs now has preliminary checks for revoked TLS certificates. To utililize this feature, users are advised to install the IGTF trust anchor distribution and FetchCRL packages for their system, and update their .crl.pem files periodically in order to get the most updated Certificate Revocation Lists. Refer to the docstring of `gnutls-crlfiles' for details on how to supply their file locations to Emacs.

On Mon, Jun 25, 2018 at 6:16 PM, Eli Zaretskii <address@hidden> wrote:

> From: Jimmy Yuen Ho Wong <address@hidden>
> Date: Sun, 24 Jun 2018 22:30:50 +0100
> Cc: Eli Zaretskii <address@hidden>, Paul Eggert <address@hidden>,
>       Noam Postavsky <address@hidden>, address@hidden
>
> Here's the patch to get GnuTLS to do CRL checking.

Thanks, a few minor comments:

> +(defcustom gnutls-crlfiles
> +  '(
> +    "/etc/grid-security/certificates/*.crl.pem"
> +    )
> +  "List of CRL file paths or a function returning said list.
> +If a file path contains a glob pattern, it will be expanded.
> +The files may be in PEM or DER format, as per the GnuTLS documentation.
> +The files may not exist, in which case they will be ignored."
> +  :group 'gnutls
> +  :type '(choice (function :tag "Function to produce list of CRL filenames")
> +                 (repeat (file :tag "CRL filename"))))

This should have a :version tag.

Do we really want/need to allow a function here?  Isn't a list of
files enough?  A function is more dangerous than a string, especially
in a security-sensitive place.

Finally, I think this defcustom needs to be called out in NEWS.

0001-Check-TLS-certs-against-CRL.patch
Description: Binary data