Moved the Network Security Manager to the Emacs manual

* misc.texi (Gnus Summary Buffer): Moved the Network Security Manager stuff here from the lispref manual.
author: Lars Magne Ingebrigtsen 2014-11-24 18:29:47 +0100
committer: Lars Magne Ingebrigtsen 2014-11-24 18:30:01 +0100
commit: e22f5c07d8bf514283221f337afb1ef7ca1cd2b8 (patch)
tree: 91196adce8b26025e3179d371c382043d8b4d04c /doc/lispref
parent: b3b0b0971db990a39d1bf521a5c9dc604111ea89 (diff)
download: emacs-e22f5c07d8bf514283221f337afb1ef7ca1cd2b8.tar.gz
emacs-e22f5c07d8bf514283221f337afb1ef7ca1cd2b8.zip
3 files changed, 2 insertions, 104 deletions
diff --git a/doc/lispref/ChangeLog b/doc/lispref/ChangeLog
index 57c5c65a96a..b0da266d53a 100644
--- a/doc/lispref/ChangeLog
+++ b/doc/lispref/ChangeLog
@@ -3,6 +3,8 @@
        * processes.texi (Network Security): Made into its own section and
        fleshed out.
        (Network Security): Mention more NSM variables.
+        (Processes): Moved the Network Security Manager stuff to the Emacs
+        manual.
 2014-11-23  Lars Magne Ingebrigtsen  <larsi@gnus.org>
diff --git a/doc/lispref/elisp.texi b/doc/lispref/elisp.texi
index 754140e587c..fa665da34a4 100644
--- a/doc/lispref/elisp.texi
+++ b/doc/lispref/elisp.texi
@@ -1299,7 +1299,6 @@ Processes
 * System Processes::        Accessing other processes running on your system.
 * Transaction Queues::      Transaction-based communication with subprocesses.
 * Network::                 Opening network connections.
-* Network Security::        Managing the network security.
 * Network Servers::         Network servers let Emacs accept net connections.
 * Datagrams::               UDP network connections.
 * Low-Level Network::       Lower-level but more general function
diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi
index c93288f2028..0952cc15f03 100644
--- a/doc/lispref/processes.texi
+++ b/doc/lispref/processes.texi
@@ -52,7 +52,6 @@ Processes}.
 * System Processes::         Accessing other processes running on your system.
 * Transaction Queues::       Transaction-based communication with subprocesses.
 * Network::                  Opening network connections.
-* Network Security::         Managing the network security.
 * Network Servers::          Network servers let Emacs accept net connections.
 * Datagrams::                UDP network connections.
 * Low-Level Network::        Lower-level but more general function
@@ -2074,108 +2073,6 @@ The connection type: @samp{plain} or @samp{tls}.
 @end defun
-@node Network Security
-@section Network Security
-@cindex Network Security Manager
-@cindex encryption
-@cindex SSL
-@cindex TLS
-@cindex STARTTLS
-After establishing a network connection, the connection is then passed
-on to the Network Security Manager (@acronym{NSM}).
-@vindex network-security-level
-The @code{network-security-level} variable determines the security
-level.  If this is @code{low}, no security checks are performed.
-If this variable is @code{medium} (which is the default), a number of
-checks will be performed.  If the @acronym{NSM} determines that the
-network connection might be unsafe, the user is made aware of this,
-and the @acronym{NSM} will ask the user what to do about the network
-connection.
-The user is given the choice of registering a permanent security
-exception, a temporary one, or whether to refuse the connection
-entirely.
-Below is a list of the checks done on the @code{medium} level.
-@table @asis
-@item unable to verify a @acronym{TLS} certificate
-If the connection is a @acronym{TLS}, @acronym{SSL} or
-@acronym{STARTTLS} connection, the @acronym{NSM} will check whether
-the certificate used to establish the identity of the server we're
-connecting to can be verified.
-While an invalid certificate is often the cause for concern (there may
-be a Man-in-the-Middle hijacking your network connection and stealing
-your password), there may be valid reasons for going ahead with the
-connection anyway.
-For instance, the server may be using a self-signed certificate, or
-the certificate may have expired.  It's up to the user to determine
-whether it's acceptable to continue the connection.
-@item a self-signed certificate has changed
-If you've previously accepted a self-signed certificate, but it has
-now changed, that either means that the server has just changed the
-certificate, or this might mean that the network connection has been
-hijacked.
-@item previously encrypted connection now unencrypted
-If the connection is unencrypted, but it was encrypted in previous
-sessions, this might mean that there is a proxy between you and the
-server that strips away @acronym{STARTTLS} announcements, leaving the
-connection unencrypted.  This is usually very suspicious.
-@item talking to an unencrypted service when sending a password
-When connecting to an @acronym{IMAP} or @acronym{POP3} server, these
-should usually be encrypted, because it's common to send passwords
-over these connections.  Similarly, if you're sending email via
-@acronym{SMTP} that requires a password, you usually want that
-connection to be encrypted.  If the connection isn't encrypted, the
-@acronym{NSM} will warn you.
-@end table
-If @code{network-security-level} is @code{high}, the following checks
-will be made:
-@table @asis
-@item a validated certificate changes the public key
-Servers change their keys occasionally, and that is normally nothing
-to be concerned about.  However, if you are worried that your network
-connections are being hijacked by agencies who have access to pliable
-Certificate Authorities that issue new certificates for third-party
-services, you may want to keep track of these changes.
-@end table
-Finally, if @code{network-security-level} is @code{paranoid}, you will
-also be notified the first time the @acronym{NSM} sees any new
-certificate.  This will allow you to inspect all the certificates from
-all the connections that Emacs makes.
-The following additional variables can be used to control
-@acronym{NSM} details.
-@table @code
-@item nsm-settings-file
-@vindex nsm-settings-file
-The @acronym{NSM} stores details on the connections in this file.  It
-defaults to @file{~/.emacs.d/network-security.data}.
-@item nsm-save-host-names
-@vindex nsm-save-host-names
-By default, host names will not be saved per non-@code{STARTTLS}
-connection.  Instead a host/port hash is used to identify connections.
-This means that one can't casually read the settings file to see what
-servers the user has connected to.  If this variable is @code{t}, host
-names will be saved in the file, too.
-@end table
 @node Network Servers
 @section Network Servers
 @cindex network servers
author	Lars Magne Ingebrigtsen	2014-11-24 18:29:47 +0100
committer	Lars Magne Ingebrigtsen	2014-11-24 18:30:01 +0100
commit	e22f5c07d8bf514283221f337afb1ef7ca1cd2b8 (patch)
tree	91196adce8b26025e3179d371c382043d8b4d04c /doc/lispref
parent	b3b0b0971db990a39d1bf521a5c9dc604111ea89 (diff)
download	emacs-e22f5c07d8bf514283221f337afb1ef7ca1cd2b8.tar.gz emacs-e22f5c07d8bf514283221f337afb1ef7ca1cd2b8.zip

diff --git a/doc/lispref/ChangeLog b/doc/lispref/ChangeLog index 57c5c65a96a..b0da266d53a 100644 --- a/doc/lispref/ChangeLog +++ b/doc/lispref/ChangeLog
@@ -3,6 +3,8 @@
3	* processes.texi (Network Security): Made into its own section and	3	* processes.texi (Network Security): Made into its own section and
4	fleshed out.	4	fleshed out.
5	(Network Security): Mention more NSM variables.	5	(Network Security): Mention more NSM variables.
		6	(Processes): Moved the Network Security Manager stuff to the Emacs
		7	manual.
6		8
7	2014-11-23 Lars Magne Ingebrigtsen <larsi@gnus.org>	9	2014-11-23 Lars Magne Ingebrigtsen <larsi@gnus.org>
8		10


diff --git a/doc/lispref/elisp.texi b/doc/lispref/elisp.texi index 754140e587c..fa665da34a4 100644 --- a/doc/lispref/elisp.texi +++ b/doc/lispref/elisp.texi
@@ -1299,7 +1299,6 @@ Processes
1299	* System Processes:: Accessing other processes running on your system.	1299	* System Processes:: Accessing other processes running on your system.
1300	* Transaction Queues:: Transaction-based communication with subprocesses.	1300	* Transaction Queues:: Transaction-based communication with subprocesses.
1301	* Network:: Opening network connections.	1301	* Network:: Opening network connections.
1302	* Network Security:: Managing the network security.
1303	* Network Servers:: Network servers let Emacs accept net connections.	1302	* Network Servers:: Network servers let Emacs accept net connections.
1304	* Datagrams:: UDP network connections.	1303	* Datagrams:: UDP network connections.
1305	* Low-Level Network:: Lower-level but more general function	1304	* Low-Level Network:: Lower-level but more general function


diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi index c93288f2028..0952cc15f03 100644 --- a/doc/lispref/processes.texi +++ b/doc/lispref/processes.texi
@@ -52,7 +52,6 @@ Processes}.
52	* System Processes:: Accessing other processes running on your system.	52	* System Processes:: Accessing other processes running on your system.
53	* Transaction Queues:: Transaction-based communication with subprocesses.	53	* Transaction Queues:: Transaction-based communication with subprocesses.
54	* Network:: Opening network connections.	54	* Network:: Opening network connections.
55	* Network Security:: Managing the network security.
56	* Network Servers:: Network servers let Emacs accept net connections.	55	* Network Servers:: Network servers let Emacs accept net connections.
57	* Datagrams:: UDP network connections.	56	* Datagrams:: UDP network connections.
58	* Low-Level Network:: Lower-level but more general function	57	* Low-Level Network:: Lower-level but more general function
@@ -2074,108 +2073,6 @@ The connection type: @samp{plain} or @samp{tls}.
2074	@end defun	2073	@end defun
2075		2074
2076		2075
2077	@node Network Security
2078	@section Network Security
2079	@cindex Network Security Manager
2080	@cindex encryption
2081	@cindex SSL
2082	@cindex TLS
2083	@cindex STARTTLS
2084
2085	After establishing a network connection, the connection is then passed
2086	on to the Network Security Manager (@acronym{NSM}).
2087
2088	@vindex network-security-level
2089	The @code{network-security-level} variable determines the security
2090	level. If this is @code{low}, no security checks are performed.
2091
2092	If this variable is @code{medium} (which is the default), a number of
2093	checks will be performed. If the @acronym{NSM} determines that the
2094	network connection might be unsafe, the user is made aware of this,
2095	and the @acronym{NSM} will ask the user what to do about the network
2096	connection.
2097
2098	The user is given the choice of registering a permanent security
2099	exception, a temporary one, or whether to refuse the connection
2100	entirely.
2101
2102	Below is a list of the checks done on the @code{medium} level.
2103
2104	@table @asis
2105
2106	@item unable to verify a @acronym{TLS} certificate
2107	If the connection is a @acronym{TLS}, @acronym{SSL} or
2108	@acronym{STARTTLS} connection, the @acronym{NSM} will check whether
2109	the certificate used to establish the identity of the server we're
2110	connecting to can be verified.
2111
2112	While an invalid certificate is often the cause for concern (there may
2113	be a Man-in-the-Middle hijacking your network connection and stealing
2114	your password), there may be valid reasons for going ahead with the
2115	connection anyway.
2116
2117	For instance, the server may be using a self-signed certificate, or
2118	the certificate may have expired. It's up to the user to determine
2119	whether it's acceptable to continue the connection.
2120
2121	@item a self-signed certificate has changed
2122	If you've previously accepted a self-signed certificate, but it has
2123	now changed, that either means that the server has just changed the
2124	certificate, or this might mean that the network connection has been
2125	hijacked.
2126
2127	@item previously encrypted connection now unencrypted
2128	If the connection is unencrypted, but it was encrypted in previous
2129	sessions, this might mean that there is a proxy between you and the
2130	server that strips away @acronym{STARTTLS} announcements, leaving the
2131	connection unencrypted. This is usually very suspicious.
2132
2133	@item talking to an unencrypted service when sending a password
2134	When connecting to an @acronym{IMAP} or @acronym{POP3} server, these
2135	should usually be encrypted, because it's common to send passwords
2136	over these connections. Similarly, if you're sending email via
2137	@acronym{SMTP} that requires a password, you usually want that
2138	connection to be encrypted. If the connection isn't encrypted, the
2139	@acronym{NSM} will warn you.
2140
2141	@end table
2142
2143	If @code{network-security-level} is @code{high}, the following checks
2144	will be made:
2145
2146	@table @asis
2147	@item a validated certificate changes the public key
2148	Servers change their keys occasionally, and that is normally nothing
2149	to be concerned about. However, if you are worried that your network
2150	connections are being hijacked by agencies who have access to pliable
2151	Certificate Authorities that issue new certificates for third-party
2152	services, you may want to keep track of these changes.
2153	@end table
2154
2155	Finally, if @code{network-security-level} is @code{paranoid}, you will
2156	also be notified the first time the @acronym{NSM} sees any new
2157	certificate. This will allow you to inspect all the certificates from
2158	all the connections that Emacs makes.
2159
2160	The following additional variables can be used to control
2161	@acronym{NSM} details.
2162
2163	@table @code
2164	@item nsm-settings-file
2165	@vindex nsm-settings-file
2166	The @acronym{NSM} stores details on the connections in this file. It
2167	defaults to @file{~/.emacs.d/network-security.data}.
2168
2169	@item nsm-save-host-names
2170	@vindex nsm-save-host-names
2171	By default, host names will not be saved per non-@code{STARTTLS}
2172	connection. Instead a host/port hash is used to identify connections.
2173	This means that one can't casually read the settings file to see what
2174	servers the user has connected to. If this variable is @code{t}, host
2175	names will be saved in the file, too.
2176	@end table
2177
2178
2179	@node Network Servers	2076	@node Network Servers
2180	@section Network Servers	2077	@section Network Servers
2181	@cindex network servers	2078	@cindex network servers