[JDEV] SSL & Valid Certificates
David Waite
mass at akuma.org
Sun Apr 14 09:31:30 CDT 2002
Yep, it should probably have the same logic as a web browser; if the
cert is valid (signed, contains the correct domain, hasn't expired,
etc), no need to prompt. If it is not signed by a known CA, warn the
user. You should also cache these latter certs locally - otherwise, you
have no verification against man in the middle attacks.
-David Waite
Robert Temple wrote:
> Should clients that support SSL connections to a jabber server check
> to make sure that the servers certificate is valid? i.e. check if the
> names match, the root is trusted, its not expired, etc. If they
> should then I plan to tell the user that there is an issue with the
> certificate like Internet Explorer does, and ask them if they want to
> remain connected.
>
> Thanks,
> Robert
More information about the JDev
mailing list