[jdev] cert handling in xmpp *client* implementations
Peter Saint-Andre
stpeter at jabber.org
Wed May 24 17:47:25 CDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Justin Karneges wrote:
> On Wednesday 24 May 2006 14:46, Peter Saint-Andre wrote:
>> Speaking of cert handling, how do jabber/xmpp clients currently handle
>> server certificates? One approach would be to use the existing Mozilla
>> NSS store, which is on Linux distros and even many Windows distros. But
>> it would be good for clients to "do the right thing" in handling the
>> certs for jabber/xmpp servers (I guess that would mean following best
>> practices derived from the browser and email client markets).
>>
>> Perhaps it would be good to document such best practices? Section 14.2
>> of RFC 3920 talks about this, but the text there may be a bit opaque for
>> many client developers...
>
> Psi 0.10 and prior contains a copy of the Windows root certificates from a
> couple of years ago and uses that on all platforms.
>
> Psi 0.11 (e.g. the betas) and onward uses the root certificates of the
> operating system, and does not bundle certificates anymore. The benefit of
> this approach is that a user can install a root certificate systemwide and
> then it "just works" in Psi. This functionality works on Windows, Mac, and
> Debian (or compatible Linux distros). For operating systems that don't have
> root certificates (other linuxes or unixes), Psi bundles the Mozilla root
> certificates.
>
> IMO, I consider this to be the best practice. However, Mozilla doesn't do
> this for some reason. On Windows, for example, they ignore the operating
> system certificates and instead use their own bundled set. I'm now curious
> what Opera does.
>
> IE -> system
> Safari -> system
> Firefox -> bundled
> Thunderbird -> bundled
> Psi 0.11 -> system
Thanks, that is helpful and does seem like the right approach. I suppose
a Moz-based client would probably use the Mozilla store since that seems
to be the preferred approach for Moz-based software...
Peter
- --
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEdOJ9NF1RSzyt3NURAhQAAKCWJYNxVTgjnRtqlvmzUrOFFn3uagCgltU7
1RROl9MfmHdwCZDC3Kan+BI=
=sz3i
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3641 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://www.jabber.org/jdev/attachments/20060524/83b86bd6/attachment-0002.bin>
More information about the JDev
mailing list