Hello Redleg, Sunday, October 24, 2004, 8:09:21 PM, you wrote:
AR> Hello Allie, >>> Discussion- >>> Whenever the POP/IMAP/SMTP server fails to provide the root/CA >>> certificate or full chain with the server certificate TB! pops up an >>> "Unknown CA certificate" warning. AM>> Shouldn't it? AR> Yes it should. However, I would further desire TB! allowing the user to AR> hash/fingerprint the accepted cert for more than one session, if the AR> user so desires, and not have to manually OK this action each time. Indeed! I support this because I can use other methods to establish trust separate to the certificate. What I need TB! to do is tell me that a certificate is identical to the one I trusted yesterday. AR> Does that really make any sense at all? TB! allows me to start a SSL or AR> TLS session with an unverified certificate? >>> Not being able to view and or add to trusted forces the user to >>> manually OK the session each and every time a connection is made to >>> these servers. On accounts where this is true and automatic checking >>> for new mail is set this dialog box can be hidden behind other windows >>> and even hang the client and/or system if not answered in a timely >>> fashion. AM>> So you're wishing for a trust anyway button? :) AR> YES!! AR> well, sorta- hitting OK is the "trust anyway" button. Allowing me to AR> import what I want to import to my trusted certs is the "Trust Anyway" AR> button I seek! Yes exactly! When I contact my brother, I have an encrypted connection that can be used as a conduit to exchange pointers to jointly known silent secrets. Or in an extreme a voice p2p call will verify the contents of an incoming mail so that in future the non-rooted certificate can be trusted for future correspondence. AM>> Interesting. Seems reasonable, though one wonders about the security of AM>> it. I guess you're more interested in transmission encryption more than AM>> strict authentication of the certificates? Quite right. My https: BBS uses a certificate signed only by the provider of my server software. Users are very happy to add my certificate without a CA root because they know they need encryption perhaps against a suspect ISP and having established trust (via a well known trusted server company) they need to know that in future when my IP changes that they are still talking to the same BBS. I understand the issues put forward in these mailinglists for only trusting CA rooted certificates, and challenge that when I use my work company's CA rooted certificate that this same certificate is used by a great number of people. Then contrast to me contacting a friend at home on a fixed IP DSL line with a non-rooted cert, which is more trustworthy in knowing the security of the delivered message ? Lastly can someone please tell me does TB! use certificates during 'chat' sessions ? I'd have thought that most users would not have traditional full certificates. Please support the 'Trust this certificate' change in TB! by keeping controls in place to protect the casual user as in the past and continue to flag immediately any certs not installed as trusted. James ________________________________________________________ Current beta is 3.0.2.1 Beta/1 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html IMPORTANT: To register as a Beta tester, use this link first - http://www.ritlabs.com/en/partners/testers/
