Hi Dave,
----- Original Message -----
>
> I've now had a chance to take a look at this. It all looks
> technically correct, which is to say that it will work. There are
> perhaps some usability items that could be improved.
>
> * fche has already mentioned allowing the clients to obtain a
> server's certificate directly from the server. This could be
> part of the "bad cert handler" where when a server's certificate
> is not trusted by the client, the client gives the user the
> opportunity to say "yes, I trust this server". The server could
> be trusted just for one session (the server's certificate is not
> added to the client's data base of trusted certificates), or
> permanently (the server's certificate is added to the client's
> data base of trusted certificates). Users of firefox may find
> this procedure familiar.
OK, yep - sounds good, will do.
> * When using a certificate authority, it is sufficient for the
> clients to have the CA's signing certificate (as opposed to the
> server's actual certificate). This is the certificate that the
> CA uses to sign the certificates that it issues. If the client
> has the CA's signing certificate then it also trusts any
> certificates which are signed using that certificate. In this
> way, when the server's certificate expires, and it obtains a new
> certificate from the CA, the new certificate will be
> automatically trusted by clients without having to obtain a new
> certificate from the server.
Ah, that makes alot of sense. Where would the client look to find
the CA's certificates? I see there's an /etc/pki/nssdb that ships
with nspr, but it appears to be empty (no certs at all, according
to certutil -L). Are they installed somewhere else?
thanks!
--
Nathan
|