problems with MSN certificate chain

[David Woolley]

Matthias Apitz wrote:
> El día Friday, January 18, 2013 a las 04:34:03PM +0000, David Woolley escribió:
> 
>> Probably because one would have to use all of the Windows public key 
>> infrastructure, instead of the open source implementation.
>>
>> The non-Windows ones are probably designed for use with OpenSSL.
>>
>> In Matthias' case, he ran a system call trace, and Pidgin is using 
>> /usr/local/share/purple/ca-certs, which is clearly a private store in 
>> Pidgin.  This is on FreeBSD.
> 
> Note: the directory /usr/local/share/purple/ca-certs is not writeable
> by normal users, it is owned by 'root'; i.e. the files
> there have been stored when I compiled(!) and installed pidgin in December 2011

These are not files that should be updated quietly as they are critical 
to the security of encrypted IM services.   As they are private to 
Pidgin, they can only safely be updated by installing a later version of 
Pidgin, or by explicitly placing them there yourself.  However, even the 
latest version has long dead certificates.

I would guess that, on a system with shared root certificates, they 
would be updated by the standard package update procedure.

In fact, as I think I noted off list, on Windows, for applications using 
the Windows certificate store, updates aren't actually automatic.  That 
is probably because an organisation seriously interested in security 
would only want to enable certain certification services from certain 
certifiers.  Very few people have heard of most of the organisations 
that Microsoft allow to vouch for a site's identity, and even the well 
known ones have various levels of check on the identity of the people 
they certify.


-- 
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.