Matthias Apitz wrote:
El día Friday, January 18, 2013 a las 04:34:03PM +0000, David Woolley escribió:
Probably because one would have to use all of the Windows public key
infrastructure, instead of the open source implementation.
The non-Windows ones are probably designed for use with OpenSSL.
In Matthias' case, he ran a system call trace, and Pidgin is using
/usr/local/share/purple/ca-certs, which is clearly a private store in
Pidgin. This is on FreeBSD.
Note: the directory /usr/local/share/purple/ca-certs is not writeable
by normal users, it is owned by 'root'; i.e. the files
there have been stored when I compiled(!) and installed pidgin in December 2011
These are not files that should be updated quietly as they are critical
to the security of encrypted IM services. As they are private to
Pidgin, they can only safely be updated by installing a later version of
Pidgin, or by explicitly placing them there yourself. However, even the
latest version has long dead certificates.
I would guess that, on a system with shared root certificates, they
would be updated by the standard package update procedure.
In fact, as I think I noted off list, on Windows, for applications using
the Windows certificate store, updates aren't actually automatic. That
is probably because an organisation seriously interested in security
would only want to enable certain certification services from certain
certifiers. Very few people have heard of most of the organisations
that Microsoft allow to vouch for a site's identity, and even the well
known ones have various levels of check on the identity of the people
they certify.
--
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
_______________________________________________
Support@pidgin.im mailing list
Want to unsubscribe? Use this link:
http://pidgin.im/cgi-bin/mailman/listinfo/support
