On 03/08/2011 04:59 PM, Marc-André Moreau wrote:
>     However, except for "is the certificate valid with regard to these
>     CAs" question (which should be answered by the crypto library that
>     already is encapsulated in libfreerdp) there isn't much code that
>     could be reused. It is mostly policy and user interfacing, and that
>     is closely related to how the GUI choose to do it.
>
>
> How do you plan on handling "is the certificate valid with regard to
> these CAs", if we delegate the call to the UI? Will the UI use another
> function call in libfreerdp to check if a certificate is valid? The user
> will only get a question if the certificate cannot be validated
> automatically, such as it is the case with a self-signed certificate.

Yes, something like that, as proposed in my draft.

I am not sure we can assume in libfreerdp that the user only should be 
asked if automatic validation fails.

It do make a lot of sense that a UI designer would like to give the user 
the option of not silently accepting anything that the CA chain 
validates. Checking fingerprints (similar to sshs "known hosts") is in 
many ways more secure than CA-based validation where several governments 
will be able to impersonate any server. The problem with fingerprints is 
how to figure out which fingerprint to trust.

Users might also want to use different CAs for their RDP connections 
than they use for their web browsing, and perhaps even different CAs for 
different servers.

> The main difference is that Firefox will normally be available under one
> port per platform, not multiple "ports" per platform like what we have.
> Both X11 and DirectFB UIs run on Linux, so how do we make the distinction?

I think it would be fine to make the choice with a configuration option. 
For each platform the packager (or whoever compiles the code) would 
choose which of the UI libraries the freerdp binary should use. There is 
no reason an ordinary user should want to use X11 when connecting to one 
server and DirectFB when connecting to another.

I don't know how far firefox is with directfb and qt support and other 
non-gtk gui libraries, but also there I would expect it to be a compile 
time option.

/Mads

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Freerdp-devel mailing list
Freerdp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel

Reply via email to