> > > - The administrator should be able to configure the client in a way > > > hat only SSL connections are allowed and the user is not allowed to > > > change this option. > > > > I don't understand. Who is administrator? > > > The one who is installing the client. Remember: we are talking about an > > enterprise environment here. Installation packages are provides by the > > admin. > > It is not possible except if you create a specific exe and even with that you > can still download the official client and run it without installation.
What about self-signed client certificates. Thats a way you can control which user/client can connect. Even if its freshly downloaded or modified. I'm not a friend of having this the standard behavior, but it can be a solution. And you have to have an option on client and server to configure your Certificate Authority. I agree with hartmut to force the encryption of the client-server connection. These user should not have the option to decide to run tryton unencrypted. > Security is also about teaching users. I fully agree. But there are a lot of webpages around with having a wrong certificate and the users are getting used to it to ignore these failures. Additionally you can authenticate a user with such a certificate, but for this discussion its out of scope. Single Sign On with kerberos would be nice, too ;-) greets tobias --~--~---------~--~----~------------~-------~--~----~ [email protected] mailing list -~----------~----~----~----~------~----~------~--~---
