Re: [Bug-wget] Trust On First Use & GSoC 2015 participation

[Ángel González]

(adding back the list)

On 13/03/15 16:53, Molnár Géza wrote:
> Hi Ángel.
>
>
> "Try to come up with a few options and submit them to the list.
> A potential problem is that wget can be used either as an interactive 
> tool than as a batch one. It isn't appropiate that a cron job stops 
> asking if it should trust a certificate (ok, here we would just chack 
> isatty), but what to do if after 6 hours downloading recursively, the 
> process finds an unknown certificate? How to combine with the 
> traditional PKI ssl? Maybe in the future we will want to support DANE, 
> and design the switches supporting that, too?"
>
> The first thing that came to my mind was to introduce a new command 
> line switch eg. --trust-on-first-use.  This would be used to tell wget 
> to print a warning about a certificate the has an unknown issuer, but 
> save it to ~/.wget/trusted_certs forder. (or somewhere else) one file 
> per certificate and continue downloading. Once a certificate was 
> downloaded using this switch i would no longer be necessarry to use 
> --trust-on-first-use to download from that server. Does this behavior 
> seem logical?
>
> As for the implementation: As I can see wget already supports external 
> certificate verification using ‘--ca-directory=directory’. I'm sure it 
> would be easy to make use of this feature to implement trust on first 
> use. This solution could work with every ssl lib supported at the time 
> and perhaps DANE in the future. Am I going in the right right 
> direction here?


So you would need to use --ca-directory=~/.wget/trusted_certs on next runs?
I think you would need to use a switch like --trust-model¹ 
trust-on-first-use (typically set on .wgetrc) to enter into TOFU mode. 
There's also the dilemma if the normal PKI shall be trusted in TOFU or 
not (I don't think it should trust, but maybe it should if PKI was also 
listed in the --trust-model, or there's a --ca-directory and the signing 
CA is there).


¹ This is the same switch name used by gpg

PS: ~/.wget wouldn't be the best path, see 
http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html 
albeit I'm not sure if such trust is 'configuration' or 'data'.

> (During the week I implemented tofu using the gnutls's 
> gnutls_verify_stored_pubkey () and gnutls_store_pubkey() and it 
> worked, but I realized it is not a good idea to implement this for 
> every ssl lib independently)
I have been looking, and gnutls seems to almost provide it. If there's a 
big difference, it could be a gnutls-only option, but it should at least 
accept such switches and do something with openssl (I'm not sure if it 
should fail or ignore it with a warning)

> If the above seems ok, I'll start working on it and post a patch by 
> tomorrow afternoon.
>
> Thanks
> Geza

Cheers