[117488] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: delegating SSL certificates

daemon@ATHENA.MIT.EDU (Bill Squier)
Tue Mar 18 14:04:28 2008

Cc: John Levine <johnl@iecc.com>, cryptography@metzdowd.com,
	ben@links.org
From: Bill Squier <groo@old-ones.com>
To: "Leichter, Jerry" <leichter_jerrold@emc.com>
In-Reply-To: <Pine.SOL.4.61.0803170952020.21837@mental>
Date: Mon, 17 Mar 2008 13:33:32 -0400


On Mar 17, 2008, at 10:06 AM, Leichter, Jerry wrote:

> | >> So at the company I work for, most of the internal systems have
> | >> expired SSL certs, or self-signed certs.  Obviously this is bad.
> | >
> | >You only think this is bad because you believe CAs add some value.
> |
> | Presumably the value they add is that they keep browsers from  
> popping
> | up scary warning messages....
> Apple's Mail.app checks certs on SSL-based mail server connections.
> It has the good - but also bad - feature that it *always* asks for
> user approval if it gets a cert it doesn't like.

Fixed in Leopard.  Certificate handling in general appears to be  
better -- although I can't be sure Tiger didn't let you fiddle with  
fine-grained entitlements as to when to trust a cert.

-wps

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post