[OS X Emacs] Verifying Aquamacs

David Reitter david.reitter at gmail.com
Fri Apr 24 16:00:46 EDT 2020


You forget that there are some 100,000 copies of Aquamacs sitting on
people's computers.  You can't remotely update which certificates are
trusted.

The simpler solution (going forward) is to change the update URL going
forward to be something like update.aquamacs.org, and make the update check
via HTTP.

For now, I would first disable https on the server until you can figure out
how to make HTTPS not mandatory for all portions of the site.  Then, if it
can be done, you can exempt cgi-bin/currentversion.cgi from the redirect to
HTTPS, probably via an entry in .htaccess.


David


On Fri, Apr 24, 2020 at 3:37 PM John Wroclawski <jtw at csail.mit.edu> wrote:

> Hi,
>
> On Apr 24, 2020, at 3:15 PM, Robert Goldman <rpgoldman at sift.info> wrote:
>
> David Reitter
>
>   Suggest disabling HTTPS on the website for now.
>
>
> I'm not a big fan of using HTTP, especially not for getting software I
> trust.
>
>
> We had this discussion a few weeks ago, but. I fully understand your
> point, but in this case I wouldn’t worry about it much, because the
> software itself is signed. The whole point of that mechanism is that you
> don’t have to secure the channel because the s/w itself is crypto-validated.
>
> That said,
>
> Can't we add the Let's Encrypt CA to the set of CAs we will accept?
>
>
> I was wondering about this too. LE certs trace back to two separate rather
> well-known roots - see  https://letsencrypt.org/certificates/ for full
> details. If Aquamacs is maintaining it’s own root CA store (not great),
> then adding one of these should be simple enough. OTOH, what it should
> really be doing is using Apple’s built-in certificate management functions
> and root store. But if it was doing that, this would all be working, I
> would expect. So I assume it’s not..
>
> John
>
>
> _____________________________________________________________
> MacOSX-Emacs mailing list
> MacOSX-Emacs at email.esm.psu.edu
> https://email.esm.psu.edu/mailman/listinfo/macosx-emacs
> List Archives: http://dir.gmane.org/gmane.emacs.macintosh.osx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://email.esm.psu.edu/pipermail/macosx-emacs/attachments/20200424/76d61435/attachment.htm>


More information about the MacOSX-Emacs mailing list