recommendations for storage of accepted certificates

[Nikos Mavrogiannopoulos]

On 10/02/2010 05:45 PM, Ted Zlatanov wrote:

> NM> The best alternative would be to store for every server the
> NM> corresponding certificate and during next connection verify that it
> NM> remained the same.
> OK.  The question is then where to store it.  Emacs can handle all the
> file interactions but I wondered if there's a convention
> (e.g. $HOME/.certs or some such) where I can drop those certificates.
> I'll call it $CERTDROP below.

I don't think there is a standard location for that. I'd put it in a DB
file (gdbm or so).

> 1) set up a conventional place where Emacs will drop accepted
> certificates, $CERTDROP/*.pem

If you're talking about server certificates I'd use:
servername.pem, instead of loading it with the trusted certificate root.

> 3) set up a facility within the Emacs GnuTLS support to accept and store
> unknown server certificates.  What function in the GnuTLS API can I use
> to provide this?  I can't find the right way in the docs or in the
> examples, sorry.

What do you mean by unknown server? Do you mean known but untrusted? In
any case gnutls doesn't provide such facility for any of them. It was
considered to be application specific (now I'm looking for a solution to
that using pkcs11, but wouldn't be available soon).

regards,
Nikos