I would say that if you have access to system certificate APIs and stores
(e.g. the Windows CryptoAPI, or whatever Mozilla uses), it might be
worthwhile to verify the certificate chain. Otherwise I would say it is
unlikely to be worthwhile to expend the programmatic effort of maintaining
your own certificate stores and so on. Jabber traffic in general is
unlikely to be worth the effort necessary to hijack a DNS name and set up a
server with bogus certificates, and if it is that sensitive it should rely
on something more end-to-end than TLS.
-Mike
|---------+---------------------------->
| | Robert Temple |
| | <Robert.Temple@di|
| | g.com> |
| | Sent by: |
| | jdev-admin@jabber|
| | .org |
| | |
| | |
| | 04/14/2002 02:55 |
| | AM |
| | Please respond to|
| | jdev |
| | |
|---------+---------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
|
| cc:
|
| Subject: [JDEV] SSL & Valid Certificates
|
|
|
|
|
>------------------------------------------------------------------------------------------------------------------------------|
Should clients that support SSL connections to a jabber server check to
make sure that the servers certificate is valid? i.e. check if the names
match, the root is trusted, its not expired, etc. If they should then I
plan to tell the user that there is an issue with the certificate like
Internet Explorer does, and ask them if they want to remain connected.
Thanks,
Robert
_______________________________________________
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev
