The area of certificate verification is very complex. There are
different RFCs and other specifications, as well as different
requirements in separate countries (e.g. German Signature Law). I
haven't seen so far a statement that either Microsoft or Mozilla
guarantee 100 % compliance to a particular specification. Counting in
different implementations (Mozilla, Microsoft, OpenSSL etc.) and
possible bugs, certificate verifications is a bit like reading the
coffee grounds.
Therefore, for me a valid point for migrating to something different
would be to have common implementation on all platforms using a
certificate verification, that guarantees compliance to a particular
specification, such as RFC 3280, ISIS-MTT etc.)
Joachim
Rene Engelhard wrote:
Hi,
Am Mittwoch, 18. Oktober 2006 12:00 schrieb Malte Timmermann:
We think that most people on non-Windows platforms will have their
personal certificate in some Mozilla profile anyway.
Not true.
I had to extra set up to Mozilla and import a test-generated certificate
to test the XML Sec stuff...
Many people will have it somewhere and just use openssl.
In your scenario, if we used OpenSSL, how would this, as well as (CA)
certificate and CRL management work?
What is the benefit in replacing an existing Mozilla dependency with a
new OpenSSL dependency?
In removing the bogus dependency on Mozilla since not everyone is using Mozilla
stuff for browsing or mail, consequently also not for certificates.
And, well, you could make it choosable.. libxmlsec afais already also supports
openssl.
We should try to get rid of the Mozilla crap (remember: we still are shipping a
unmaintained, old, unsupported, security-buggy version), also for LDAP access,
but
that's an other story...
Regards,
Rene
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
