Hi Peter, I noticed the new session parameter, kCMISSessionAllowUntrustedSSLCertificate, that you introduced. If set, server certificate validation is skipped so SSL connections to untrusted servers can be established.
I don't think that we should have such a parameter. The world is already insecure enough without encouraging people to deactivate essential security settings. If there is a need to accept untrusted server certificates temporarily, like during development, than this can easily be done by providing a custom authentication provider. This was already possible before this change, without extending the standard implementation with insecure code. Or did I miss something? I would feel a lot better if this whole "feature" was removed again and whoever needs to do such messy things does them in own code in a custom authentication provider. Or is it just me who is overly sensitive here? What does everyone else think? Peter
