> its CA chain are sane, and (2) verifying that my server handles > real-world remote certs proprly. Oh, and (3) if I need to relax the > verification settings so that it doesn't drop traffic due to "bad" > certs.
This is the really annoying part. You have to choose between accepting crappy certs or net getting any connection. Plus, if you want things like pfs, it also depends on the right version of all the software involved ... Dane is nice, but the complexity is huge. And don't get me started on key/cert rollovers. All this pain, and we're still talking about the transport layer. The user has no controll over this layer. He needs to trust that everything was configured the right way. Without otr/pgp, the user is still at risk of disclosed cleartext meassages. rm
