[JDEV] SSL & Valid Certificates
Michael F Lin
MFLIN at us.ibm.com
Wed Apr 17 16:47:54 CDT 2002
I would say that if you have access to system certificate APIs and stores
(e.g. the Windows CryptoAPI, or whatever Mozilla uses), it might be
worthwhile to verify the certificate chain. Otherwise I would say it is
unlikely to be worthwhile to expend the programmatic effort of maintaining
your own certificate stores and so on. Jabber traffic in general is
unlikely to be worth the effort necessary to hijack a DNS name and set up a
server with bogus certificates, and if it is that sensitive it should rely
on something more end-to-end than TLS.
-Mike
|---------+---------------------------->
| | Robert Temple |
| | <Robert.Temple at di|
| | g.com> |
| | Sent by: |
| | jdev-admin at jabber|
| | .org |
| | |
| | |
| | 04/14/2002 02:55 |
| | AM |
| | Please respond to|
| | jdev |
| | |
|---------+---------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
| |
| To: "'jdev at jabber.org'" <jdev at jabber.org> |
| cc: |
| Subject: [JDEV] SSL & Valid Certificates |
| |
| |
>------------------------------------------------------------------------------------------------------------------------------|
Should clients that support SSL connections to a jabber server check to
make sure that the servers certificate is valid? i.e. check if the names
match, the root is trusted, its not expired, etc. If they should then I
plan to tell the user that there is an issue with the certificate like
Internet Explorer does, and ask them if they want to remain connected.
Thanks,
Robert
More information about the JDev
mailing list