[Fedora-directory-users] Re: certificates
Susan
logastellus at yahoo.com
Thu Jan 12 18:40:05 UTC 2006
--- Howard Chu <hyc at symas.com> wrote:
> Stop for a moment and think that through. If you don't configure the
> client with a set of CAs to trust, then the only way to make the TLS
> handshake work is to tell the client not to attempt to verify the
> server's cert at all. That means any server can present any ol' made up
> certificate, claiming to be any entity, and the client will just blindly
> trust it.
oops, you're right, I didn't think that through. Of course.
it just seems that managing CA certs on the clients would be a real pain.
Besides, is there any way within this whole FDS framework to revoke Certs? If the ldap server is
compromised, how do I tell the clients not to trust it (or the CA or both) anymore???
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Fedora-directory-users
mailing list