On 02/01/2013 01:30 AM, Nathan Scott wrote:
Hi all,
I've made a tutorial style write-up of recent work done in
PCP to allow secure connections to be established. Please
have a read & let me know if you have any feedback.
http://oss.sgi.com/projects/pcp/pcp-gui.git/man/html/lab.secure.html
I've now had a chance to take a look at this. It all looks
technically correct, which is to say that it will work. There are
perhaps some usability items that could be improved.
- fche has already mentioned allowing the clients to obtain a
server's certificate directly from the server. This could be
part of the "bad cert handler" where when a server's certificate
is not trusted by the client, the client gives the user the
opportunity to say "yes, I trust this server". The server could
be trusted just for one session (the server's certificate is not
added to the client's data base of trusted certificates), or
permanently (the server's certificate is added to the client's
data base of trusted certificates). Users of firefox may find
this procedure familiar.
- When using a certificate authority, it is sufficient for the
clients to have the CA's signing certificate (as opposed to the
server's actual certificate). This is the certificate that the
CA uses to sign the certificates that it issues. If the client
has the CA's signing certificate then it also trusts any
certificates which are signed using that certificate. In this
way, when the server's certificate expires, and it obtains a new
certificate from the CA, the new certificate will be
automatically trusted by clients without having to obtain a new
certificate from the server.
Dave
|
|