Re: A couple of questions and concerns about Emacs network security

[Jimmy Yuen Ho Wong]

>
> We are best off doing what the browser vendors are doing (Chrome,
> Firefox, and Safari generally being good exemplars.)
>

AFAIK, NSM is trying to do exactly that. Lars has set up a good structure here.

>
> Not having CT is a problem. Certificate forgery in the field is
> becoming a serious issue. Just a couple of days ago I was informed
> that the WiFi on Turkish airliners now intercepts your TLS
> traffic with the use of faked up certs. It's becoming so common in
> various countries that we simply need it. If GnuTLS won't do it, then
> we use something else that provides it.
>

There's a CT ticket[1] for GnuTLS. It's not coming any time soon tho,
so OCSP will have to do for now. Although, I'm pretty sure you can
extract the raw DER bytes and parse the SCT extension in
LISP using some bit manipulation magic (I don't even want to think
about it now.... feel free to pick it up).

[1]: https://gitlab.com/gnutls/gnutls/issues/232
[2]: https://www.gnutls.org/manual/gnutls.html#X_002e509-extensions