<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2654.45">
<TITLE>RE: [JDEV] SSL & Valid Certificates</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>I am using the crypto API, so I will use the Windows Certificate store.</FONT>
<BR><FONT SIZE=2>Thanks for the feedback, I will let the users know when there is a </FONT>
<BR><FONT SIZE=2>problem with a cert.</FONT>
</P>
<P><FONT SIZE=2>-Robert</FONT>
</P>
<P><FONT SIZE=2>> -----Original Message-----</FONT>
<BR><FONT SIZE=2>> From: Michael F Lin [<A HREF="mailto:MFLIN@us.ibm.com">mailto:MFLIN@us.ibm.com</A>]</FONT>
<BR><FONT SIZE=2>> Sent: Wednesday, April 17, 2002 2:48 PM</FONT>
<BR><FONT SIZE=2>> To: jdev@jabber.org</FONT>
<BR><FONT SIZE=2>> Subject: Re: [JDEV] SSL & Valid Certificates</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> I would say that if you have access to system certificate </FONT>
<BR><FONT SIZE=2>> APIs and stores</FONT>
<BR><FONT SIZE=2>> (e.g. the Windows CryptoAPI, or whatever Mozilla uses), it might be</FONT>
<BR><FONT SIZE=2>> worthwhile to verify the certificate chain. Otherwise I would </FONT>
<BR><FONT SIZE=2>> say it is</FONT>
<BR><FONT SIZE=2>> unlikely to be worthwhile to expend the programmatic effort </FONT>
<BR><FONT SIZE=2>> of maintaining</FONT>
<BR><FONT SIZE=2>> your own certificate stores and so on. Jabber traffic in general is</FONT>
<BR><FONT SIZE=2>> unlikely to be worth the effort necessary to hijack a DNS </FONT>
<BR><FONT SIZE=2>> name and set up a</FONT>
<BR><FONT SIZE=2>> server with bogus certificates, and if it is that sensitive </FONT>
<BR><FONT SIZE=2>> it should rely</FONT>
<BR><FONT SIZE=2>> on something more end-to-end than TLS.</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> -Mike</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> |---------+----------------------------></FONT>
<BR><FONT SIZE=2>> | | Robert Temple |</FONT>
<BR><FONT SIZE=2>> | | <Robert.Temple@di|</FONT>
<BR><FONT SIZE=2>> | | g.com> |</FONT>
<BR><FONT SIZE=2>> | | Sent by: |</FONT>
<BR><FONT SIZE=2>> | | jdev-admin@jabber|</FONT>
<BR><FONT SIZE=2>> | | .org |</FONT>
<BR><FONT SIZE=2>> | | |</FONT>
<BR><FONT SIZE=2>> | | |</FONT>
<BR><FONT SIZE=2>> | | 04/14/2002 02:55 |</FONT>
<BR><FONT SIZE=2>> | | AM |</FONT>
<BR><FONT SIZE=2>> | | Please respond to|</FONT>
<BR><FONT SIZE=2>> | | jdev |</FONT>
<BR><FONT SIZE=2>> | | |</FONT>
<BR><FONT SIZE=2>> |---------+----------------------------></FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> >-------------------------------------------------------------</FONT>
<BR><FONT SIZE=2>> -----------------------------------------------------------------|</FONT>
<BR><FONT SIZE=2>> | </FONT>
<BR><FONT SIZE=2>> |</FONT>
<BR><FONT SIZE=2>> | To: "'jdev@jabber.org'" <jdev@jabber.org> </FONT>
<BR><FONT SIZE=2>> |</FONT>
<BR><FONT SIZE=2>> | cc: </FONT>
<BR><FONT SIZE=2>> |</FONT>
<BR><FONT SIZE=2>> | Subject: [JDEV] SSL & Valid Certificates </FONT>
<BR><FONT SIZE=2>> |</FONT>
<BR><FONT SIZE=2>> | </FONT>
<BR><FONT SIZE=2>> |</FONT>
<BR><FONT SIZE=2>> | </FONT>
<BR><FONT SIZE=2>> |</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> >-------------------------------------------------------------</FONT>
<BR><FONT SIZE=2>> -----------------------------------------------------------------|</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Should clients that support SSL connections to a jabber </FONT>
<BR><FONT SIZE=2>> server check to</FONT>
<BR><FONT SIZE=2>> make sure that the servers certificate is valid? i.e. check </FONT>
<BR><FONT SIZE=2>> if the names</FONT>
<BR><FONT SIZE=2>> match, the root is trusted, its not expired, etc. If they </FONT>
<BR><FONT SIZE=2>> should then I</FONT>
<BR><FONT SIZE=2>> plan to tell the user that there is an issue with the certificate like</FONT>
<BR><FONT SIZE=2>> Internet Explorer does, and ask them if they want to remain connected.</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Thanks,</FONT>
<BR><FONT SIZE=2>> Robert</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> _______________________________________________</FONT>
<BR><FONT SIZE=2>> jdev mailing list</FONT>
<BR><FONT SIZE=2>> jdev@jabber.org</FONT>
<BR><FONT SIZE=2>> <A HREF="http://mailman.jabber.org/listinfo/jdev" TARGET="_blank">http://mailman.jabber.org/listinfo/jdev</A></FONT>
<BR><FONT SIZE=2>> </FONT>
</P>
</BODY>
</HTML>