The Pidgin Certificate Manager
simon at sxw.org.uk
Tue Jun 19 11:33:40 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
On 19 Jun 2007, at 16:17, William Ehlhardt wrote:
> I failed to mention this before, but I am particularly looking for
> input on the CertificateAuthorizer structure/logic; I know that
> someone was working on AIM Personal Certificate support, which
> apparently uses X.509 certificates, but possibly different
> verification logic from that used for SSL authorization of servers.
Using X509 client certificates to authenticate a client to a server
is entirely different can of worms from verifying X509 server
certificates. They almost certainly require different code paths, and
different handling. In particular, you never need to verify a client
certificate (if the client wants you to use it, you should use it -
it's up to the server to decide on whether it's valid or not).
> Do we really need more than one piece of authorization logic?
> Eliminating the CertificateAuthorizer structure could make things
> somewhat simpler, but I suspect that support of a couple different
> authorization semantics would be useful.
Please be careful with your terminology. Lots of people infer what
somethings doing from what a things called. You seem to be using
'authorizer' and 'authenticated' interchangeably, whereas both
Authorization, and Authentication have formally, clearly defined
meanings, when dealing with security code. Neither of them are what
you're doing - which is certificate verification. It would make your
code, and your proposals clearer, if you could stick to standard naming.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
-----END PGP SIGNATURE-----
More information about the Devel