On 01/03/10 23:02 +0100, Hartmut Goebel wrote: > Am 01.03.2010 22:08, schrieb Cédric Krier: > > > This is exactly what I suggest by saying CA. And you answer it was not that! > > So explain how users will create the ca-bundle.crt ? How to manage it ? > > We try to make a simple software. > > THis is al explained in <http://docs.python.org/library/ssl#certificates>?
You don't understand my questions. (I know it, I can read docs like you) How do you want non-geeks guys manage this files? > > >> (For real usage we should add some boilerplate thought ;-) > >> > >> Sorry for being harsh, ced. This discussion here and the earlier once > >> about SSL show that you are lacking basic knowledge and understanding > >> about SSL, certificates, how to use SSL correctly, how to use > >> certificates correctly, how to use certificates in conjunction with SSL > >> correctly. > > > > This kind of answer is completly useless and I know all of that! > > I doubt that! Just a few lines above you say that you do not know how a > ca-certs-file has to be build. And you obviously do not understand why a > "Secure connections" checkbox is *required* in the client GUI. No I don't because you never give a demonstration of the requirements and it complicates the GUI and it will be source of errors. > >> It's my daily business. I've seen lots of bad stuff like > >> this in these years. And I know why they will not work out in the long > >> run -- if they work at all. What makes you believe, you are smarter > >> about IT security? > > > > I will never accept arguments that are based on authority. Explain what is > > wrong? What will go bad? > > You should not accept my arguments because of authority, but because I > simply have more experience in implementing security than you. We can > discuss for weeks without result, since you always can neglect the "facts". > > Just do point out some of your faults: > > * You are implementing a system which is not antiquate to the mechanisms > you are using. You are misusing SSL. All you want to achieve is already > well implemented and tested in SSL. But hard to maintain. You can not read ca-cert files. Even Google has not yet succeed to implement a good cert management interface http://code.google.com/p/chromium/wiki/LinuxCertManagement > > * You are using outdated algorithms: md5 must not considered broken, > NIST does not recommend it for new applications since years. I use both md5 and sha1 which is often recommended on website. And md5 is still used by OpenSSH for fingerprint. > > * You are re-inventing the wheel. This not only a waste of time, but > also a security risk: Every additional piece of software may have > additional vulnerabilities. Even your "trivial" implementation currents > has bugs and is more complicated than necessary. Which bugs? What is too complicated? > Yes one could easily > correct this. But why? Simply use the one-lines I posted and everything > is done. > > * Your solutions only solves a special case, while there is a more > generic solution available (and tested): When using fingerprints, you > can only check for this very one certificate. Using certificates > properly gives support for certificate chains for free. Much, much more > powerful and less work to implement. What is the usage of Tryton? In which case will it be required to have a certificate chains? > > These are typical faults of people not understanding how to implement > security right. > > > I see that fingerprints is something that is done by some security solution > > like OpenSSH. > > Even OpenSSL has a option to printout fingerprint: > > "openssl x509 -noout -in cert.pem -fingerprint" > > Where does Firefox store the fingerprints? Nowhere! It uses certificate > chains. I never talked about Firefox. Firefox use CA-cert because it is for public usage. -- Cédric Krier B2CK SPRL Rue de Rotterdam, 4 4000 Liège Belgium Tel: +32 472 54 46 59 Email/Jabber: [email protected] Website: http://www.b2ck.com/
pgpV3eUVDpqlR.pgp
Description: PGP signature
