Stephen,
> When you add a CA via an API call from ActiveX control or any other
> method in IE you still can get a series of dialog boxes asking you first
> if you want to download the control. AFAIK you always get a box asking
> whether you want to add the root CA.
>
> With Netscape the method of adding a CA via a plugin works only under
> Windows and could be regarded as a security hole in Netscape which could
> be plugged at any time.
>
> With Netscape you also get lots of dialog boxes asking if you really
> want to let this stuff potentially write all over your hard disk.
>
> On the plus side ActiveX controls and Netscape signed stuff doesn't
> expire when the certificates do. If you serve up stuff with SSL the
> certificate needs to be up to date.
>
> On the minus side many people are very wary of ActiveX controls because
> they can either deliberately or accidentally open up security holes.
That's exactly the point. I would not trust plugins or active code or
stuff like that to install anything sensitive like certificates in my
database.
> Netscape signed objects are a bit more primitive: they allow expired
> certificates to be used and don't do revocation checking.
>
> Speaking personally on balance I'd be much happier adding a CA
> certificate over SSL than running a signed object.
I wholeheartedly agree with you on this one!
Cheers,
Stefan.
______________________________________________________________________________
Stefan Kelm PGP key: "finger [EMAIL PROTECTED]" or via key server
DFN-PCA <[EMAIL PROTECTED]>
Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/
22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
