On Thu, Jun 11, 2009 at 12:39:25PM -0500, Shawn Walker wrote: > I feel like peer verification has to be under customer control because > the repository requiring the certificate may be their own and so a CA > Cert may not be available for whatever reason.
In this case, the customer has a self-signed certificate and can place that cert in the site-specific certs directory described in case #2 of the proposal. > The primary reason I'm uncomfortable with the directory being the > arbiter of the behaviour is because peer verification is often defined > by the security policy of the user. While I'm aware that we may not > have a standard location yet for the certificates, it feels wrong to > decide security policy based on the presence of a directory. Let me repeat that this is not policy so much as it is a temporary workaround. Once we're delivering certs reliably, it'll be removed and we'll require peer verification. > Now whether this happens in a later implementation phase or doesn't > matter to me. I'm quite aware that the scope of transport changes has > already ballooned rather fearfully :) I don't understand this comment. -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
