Am 01.03.2010 22:08, schrieb Cédric Krier: > This is exactly what I suggest by saying CA. And you answer it was not that! > So explain how users will create the ca-bundle.crt ? How to manage it ? > We try to make a simple software.
THis is al explained in <http://docs.python.org/library/ssl#certificates>? >> (For real usage we should add some boilerplate thought ;-) >> >> Sorry for being harsh, ced. This discussion here and the earlier once >> about SSL show that you are lacking basic knowledge and understanding >> about SSL, certificates, how to use SSL correctly, how to use >> certificates correctly, how to use certificates in conjunction with SSL >> correctly. > > This kind of answer is completly useless and I know all of that! I doubt that! Just a few lines above you say that you do not know how a ca-certs-file has to be build. And you obviously do not understand why a "Secure connections" checkbox is *required* in the client GUI. >> Why are you not trusting others to know what they are talking about? > > I never say that ! You actions speak loader than your words! >> Why are you ignoring the tips of others? > > I never do that. You actions speak loader than your words! Just two examples: My adives about SSL communication, the discussion about the the "Welcome" page in the wiki. >> I'm a security consultant for some >> 10 years now. > > This kind of answer is pointless. I only trust fact ! This is a fact :-) Trust me, I'm a trained professional (tm). >> It's my daily business. I've seen lots of bad stuff like >> this in these years. And I know why they will not work out in the long >> run -- if they work at all. What makes you believe, you are smarter >> about IT security? > > I will never accept arguments that are based on authority. Explain what is > wrong? What will go bad? You should not accept my arguments because of authority, but because I simply have more experience in implementing security than you. We can discuss for weeks without result, since you always can neglect the "facts". Just do point out some of your faults: * You are implementing a system which is not antiquate to the mechanisms you are using. You are misusing SSL. All you want to achieve is already well implemented and tested in SSL. * You are using outdated algorithms: md5 must not considered broken, NIST does not recommend it for new applications since years. * You are re-inventing the wheel. This not only a waste of time, but also a security risk: Every additional piece of software may have additional vulnerabilities. Even your "trivial" implementation currents has bugs and is more complicated than necessary. Yes one could easily correct this. But why? Simply use the one-lines I posted and everything is done. * Your solutions only solves a special case, while there is a more generic solution available (and tested): When using fingerprints, you can only check for this very one certificate. Using certificates properly gives support for certificate chains for free. Much, much more powerful and less work to implement. These are typical faults of people not understanding how to implement security right. > I see that fingerprints is something that is done by some security solution > like OpenSSH. > Even OpenSSL has a option to printout fingerprint: > "openssl x509 -noout -in cert.pem -fingerprint" Where does Firefox store the fingerprints? Nowhere! It uses certificate chains. It now took me about half an hour trying to convince you about "my" solution. This time could have been spend much more productive in writing some documentation for SSL. But you "only trust fact". If you would have listen to my experience, we would have been much more productive already. BTW: I already have a secure Tryton client implementation. But I'm these discussions and your code-nitpicking are discouraging me. You are acting like a king and -- Schönen Gruß - Regards Hartmut Goebel Dipl.-Informatiker (univ.), CISSP, CSSLP Goebel Consult Spezialist für IT-Sicherheit in komplexen Umgebungen http://www.goebel-consult.de Monatliche Kolumne: http://www.cissp-gefluester.de/ Goebel Consult mit Mitglied bei http://www.7-it.de
smime.p7s
Description: S/MIME Cryptographic Signature
