[jdev] cert handling in xmpp *client* implementations
Justin Karneges
justin-keyword-jabber.093179 at affinix.com
Wed May 24 17:39:18 CDT 2006
On Wednesday 24 May 2006 14:46, Peter Saint-Andre wrote:
> Speaking of cert handling, how do jabber/xmpp clients currently handle
> server certificates? One approach would be to use the existing Mozilla
> NSS store, which is on Linux distros and even many Windows distros. But
> it would be good for clients to "do the right thing" in handling the
> certs for jabber/xmpp servers (I guess that would mean following best
> practices derived from the browser and email client markets).
>
> Perhaps it would be good to document such best practices? Section 14.2
> of RFC 3920 talks about this, but the text there may be a bit opaque for
> many client developers...
Psi 0.10 and prior contains a copy of the Windows root certificates from a
couple of years ago and uses that on all platforms.
Psi 0.11 (e.g. the betas) and onward uses the root certificates of the
operating system, and does not bundle certificates anymore. The benefit of
this approach is that a user can install a root certificate systemwide and
then it "just works" in Psi. This functionality works on Windows, Mac, and
Debian (or compatible Linux distros). For operating systems that don't have
root certificates (other linuxes or unixes), Psi bundles the Mozilla root
certificates.
IMO, I consider this to be the best practice. However, Mozilla doesn't do
this for some reason. On Windows, for example, they ignore the operating
system certificates and instead use their own bundled set. I'm now curious
what Opera does.
IE -> system
Safari -> system
Firefox -> bundled
Thunderbird -> bundled
Psi 0.11 -> system
-Justin
More information about the JDev
mailing list