On Tue, Apr 09, 2002 at 11:20:57AM -0400, Greg Hudson wrote:
> On Tue, 2002-04-09 at 11:04, Kevin Pilch-Bisson wrote:
> > Sorry, I should have read the whole issue. I would say that only a small part
> > of the stuff mentioned in the issue needs to be done for alpha. Namely
> > caching the server certs or there fingerprints so that we can detect
> > man-in-the-middle attacks.
> Eh? This is not ssh. Either a certificate is signed by a chain leading
> to a trusted CA or it's not.
> I suppose you could cache self-signed certificates so that you'd know if
> you're getting the same one each time, but certificates do expire, so
> that's not especially valuble.
I use self-signed certificates, and send them to thoose who need them
through a trusted channel; phone or gpg signed email.
Saving certificate fingerprints, or even whole certificates is a must.
There should also be a way to pre-install certificates prior to the
I'm not saying this is an important issue for the time being, but
sometime in the future it should be implemented.
Peter Mathiasson, peter at mathiasson dot nu, http://www.mathiasson.nu
GPG Fingerprint: A9A7 F8F6 9821 F415 B066 77F1 7FF5 C2E6 7BF2 F228
Received on Tue Apr 9 22:38:43 2002
- application/pgp-signature attachment: stored