[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] wget/gnutls TOFU certificate authentication?
From: |
Giuseppe Scrivano |
Subject: |
Re: [Bug-wget] wget/gnutls TOFU certificate authentication? |
Date: |
Tue, 30 Sep 2014 22:22:30 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) |
Daniel Kahn Gillmor <address@hidden> writes:
> On 09/30/2014 10:47 AM, Tim Ruehsen wrote:
>> 1. if e.g. --ssh-style-verification is given on the command line (or within
>> wgetrc).
>>
>> 2. --no-check-certificate is given AND the cert check (which we always
>> perform) fails AND wget is in 'interactive mode' (isatty()==true).
>
> Of these two, i think i prefer 1 (the option could just be --tofu or
> something), where the TOFU behavior kicks in only if the certificate
> doesn't validate on the X.509 chain.
I think we can make it the default when --no-check-certificate is used,
and to keep the current behavior we can add an argument like
--no-check-certificate=force.
It shouldn't break existing scenarios, and when it does, it is better
people take a deeper look at it.
What do you think?
Cheers,
Giuseppe