On Tue, Apr 09, 2002 at 11:20:57AM -0400, Greg Hudson wrote:
> On Tue, 2002-04-09 at 11:04, Kevin Pilch-Bisson wrote:
> > Sorry, I should have read the whole issue. I would say that only a small part
> > of the stuff mentioned in the issue needs to be done for alpha. Namely
> > caching the server certs or there fingerprints so that we can detect
> > man-in-the-middle attacks.
>
> Eh? This is not ssh. Either a certificate is signed by a chain leading
> to a trusted CA or it's not.
>
> I suppose you could cache self-signed certificates so that you'd know if
> you're getting the same one each time, but certificates do expire, so
> that's not especially valuble.
I use self-signed certificates, and send them to thoose who need them
through a trusted channel; phone or gpg signed email.
Saving certificate fingerprints, or even whole certificates is a must.
There should also be a way to pre-install certificates prior to the
first use.
I'm not saying this is an important issue for the time being, but
sometime in the future it should be implemented.
--
Peter Mathiasson, peter at mathiasson dot nu, http://www.mathiasson.nu
GPG Fingerprint: A9A7 F8F6 9821 F415 B066 77F1 7FF5 C2E6 7BF2 F228
- application/pgp-signature attachment: stored
Received on Tue Apr 9 22:38:43 2002