On 10/16/2010 12:08 AM, Bob Camp wrote:
Hi
It's a crazy world when it comes to self signed certs.
You have at least 5 OS's you need to consider (MS, Linux/FBSD, OS-X, I-OS,
Android). You need to think about both browsers and mail clients. Each of those
come from a half dozen sources on each platform. Then you have configuration
options on each. That's a lot of combinations.
Each combo seems to have a different idea of what not to do when they see a self signed
cert. If you want to be able to handle all of them, even "real" certs may have
issues. There are indeed several common combo's that are a major pain with a self signed
cert.
No, I didn't write any of the code with the problems in it. I also don't want
to get into the details of what and where. This really isn't the forum for that
sort of thing. I'm not out to bash any particular solution, only to point out
that there are indeed issues.
Do handle part of the mess, we have setup our local root cert at the
computer club, and then sign our server certs to that. I did a major
overhaul on the infrastructure for that. It is still not "real" safety
routines, but ah well. We provide a cert download which quickly solves
the cert issue with most browser.
Seems to work for our myriad of server and client OSes and clients.
There is various ways to get "real" root certs, but depending on degree
of uhm... safety... it may be argued of their capabilities. There is
efforts to build a chain of trust for a stable free root cert, but it is
so far nog included in any major browsers.
Essentially it's a mess. I'm only scratched the surface here.
Cheers,
Magnus
_______________________________________________
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.
