> People were talking about "scheme" on this thread recently. Can we
> provide the following two schemes right out of the box?
We're far away from talking defaults. If any, I would suggest
defaults that either adhere strictly to specifications or else
map to JVM settings.
> https-no-host-verify://
> https-completely-insecure://
I think it would be much better to have a good SSL guide that
tells people how and why to set up such schemes themselves.
A default, if we provide one, should map to the SSL socket factory
of the JVM and perform CN checks as strictly as we can make them.
> We provide this scheme only as an evil temptation for you to resist.
That's a funny thing to write, and I guess I used to think so
myself. But I have become much more pragmatic. If we don't
want them to use it, we shouldn't put it in by default. That
will keep more people from abusing the code as any warning.
I would just like to echo Roland's sentiments here. Having the
ability to do these special schemes is fine, but I don't think they
should be enabled out of the box. Their unintended use could lead to
inherent security issues as well as just general confusion. Out of
the box we should strive to support the "standards" with the ability
to configure for custom scenarios.
Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
