On 03/08/2011 04:59 PM, Marc-André Moreau wrote: > However, except for "is the certificate valid with regard to these > CAs" question (which should be answered by the crypto library that > already is encapsulated in libfreerdp) there isn't much code that > could be reused. It is mostly policy and user interfacing, and that > is closely related to how the GUI choose to do it. > > > How do you plan on handling "is the certificate valid with regard to > these CAs", if we delegate the call to the UI? Will the UI use another > function call in libfreerdp to check if a certificate is valid? The user > will only get a question if the certificate cannot be validated > automatically, such as it is the case with a self-signed certificate.
Yes, something like that, as proposed in my draft. I am not sure we can assume in libfreerdp that the user only should be asked if automatic validation fails. It do make a lot of sense that a UI designer would like to give the user the option of not silently accepting anything that the CA chain validates. Checking fingerprints (similar to sshs "known hosts") is in many ways more secure than CA-based validation where several governments will be able to impersonate any server. The problem with fingerprints is how to figure out which fingerprint to trust. Users might also want to use different CAs for their RDP connections than they use for their web browsing, and perhaps even different CAs for different servers. > The main difference is that Firefox will normally be available under one > port per platform, not multiple "ports" per platform like what we have. > Both X11 and DirectFB UIs run on Linux, so how do we make the distinction? I think it would be fine to make the choice with a configuration option. For each platform the packager (or whoever compiles the code) would choose which of the UI libraries the freerdp binary should use. There is no reason an ordinary user should want to use X11 when connecting to one server and DirectFB when connecting to another. I don't know how far firefox is with directfb and qt support and other non-gtk gui libraries, but also there I would expect it to be a compile time option. /Mads ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Freerdp-devel mailing list Freerdp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freerdp-devel
