-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Justin Karneges wrote: > On Wednesday 24 May 2006 14:46, Peter Saint-Andre wrote: >> Speaking of cert handling, how do jabber/xmpp clients currently handle >> server certificates? One approach would be to use the existing Mozilla >> NSS store, which is on Linux distros and even many Windows distros. But >> it would be good for clients to "do the right thing" in handling the >> certs for jabber/xmpp servers (I guess that would mean following best >> practices derived from the browser and email client markets). >> >> Perhaps it would be good to document such best practices? Section 14.2 >> of RFC 3920 talks about this, but the text there may be a bit opaque for >> many client developers... > > Psi 0.10 and prior contains a copy of the Windows root certificates from a > couple of years ago and uses that on all platforms. > > Psi 0.11 (e.g. the betas) and onward uses the root certificates of the > operating system, and does not bundle certificates anymore. The benefit of > this approach is that a user can install a root certificate systemwide and > then it "just works" in Psi. This functionality works on Windows, Mac, and > Debian (or compatible Linux distros). For operating systems that don't have > root certificates (other linuxes or unixes), Psi bundles the Mozilla root > certificates. > > IMO, I consider this to be the best practice. However, Mozilla doesn't do > this for some reason. On Windows, for example, they ignore the operating > system certificates and instead use their own bundled set. I'm now curious > what Opera does. > > IE -> system > Safari -> system > Firefox -> bundled > Thunderbird -> bundled > Psi 0.11 -> system
Thanks, that is helpful and does seem like the right approach. I suppose a Moz-based client would probably use the Mozilla store since that seems to be the preferred approach for Moz-based software... Peter - -- Peter Saint-Andre Jabber Software Foundation http://www.jabber.org/people/stpeter.shtml -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEdOJ9NF1RSzyt3NURAhQAAKCWJYNxVTgjnRtqlvmzUrOFFn3uagCgltU7 1RROl9MfmHdwCZDC3Kan+BI= =sz3i -----END PGP SIGNATURE-----
smime.p7s
Description: S/MIME Cryptographic Signature
