On 23/10/09 10:53 -0700, Tobias Paepke wrote: > > > > > - The administrator should be able to configure the client in a way > > > > hat only SSL connections are allowed and the user is not allowed to > > > > change this option. > > > > > > I don't understand. Who is administrator? > > > > > The one who is installing the client. Remember: we are talking about an > > > enterprise environment here. Installation packages are provides by the > > > admin. > > > > It is not possible except if you create a specific exe and even with that > > you > > can still download the official client and run it without installation. > > What about self-signed client certificates. Thats a way you can > control which user/client can connect. Even if its freshly downloaded > or modified. > I'm not a friend of having this the standard behavior, but it can be a > solution. > And you have to have an option on client and server to configure your > Certificate Authority. > > I agree with hartmut to force the encryption of the client-server > connection. These user should not have the option to decide to run > tryton unencrypted.
Sorry but the problem is not about encrypted or not connection but about man-in-the-middle attack. So the user must be able to authenticate the server and one possiblity is to check a certificate. -- Cédric Krier B2CK SPRL Rue de Rotterdam, 4 4000 Liège Belgium Tel: +32 472 54 46 59 Email: [email protected] Jabber: [email protected] Website: http://www.b2ck.com/
pgpqetzB9pDxg.pgp
Description: PGP signature
