On Wednesday 24 May 2006 14:46, Peter Saint-Andre wrote: > Speaking of cert handling, how do jabber/xmpp clients currently handle > server certificates? One approach would be to use the existing Mozilla > NSS store, which is on Linux distros and even many Windows distros. But > it would be good for clients to "do the right thing" in handling the > certs for jabber/xmpp servers (I guess that would mean following best > practices derived from the browser and email client markets). > > Perhaps it would be good to document such best practices? Section 14.2 > of RFC 3920 talks about this, but the text there may be a bit opaque for > many client developers...
Psi 0.10 and prior contains a copy of the Windows root certificates from a couple of years ago and uses that on all platforms. Psi 0.11 (e.g. the betas) and onward uses the root certificates of the operating system, and does not bundle certificates anymore. The benefit of this approach is that a user can install a root certificate systemwide and then it "just works" in Psi. This functionality works on Windows, Mac, and Debian (or compatible Linux distros). For operating systems that don't have root certificates (other linuxes or unixes), Psi bundles the Mozilla root certificates. IMO, I consider this to be the best practice. However, Mozilla doesn't do this for some reason. On Windows, for example, they ignore the operating system certificates and instead use their own bundled set. I'm now curious what Opera does. IE -> system Safari -> system Firefox -> bundled Thunderbird -> bundled Psi 0.11 -> system -Justin
