On Thu, Jun 11, 2009 at 01:14:28PM -0500, Shawn Walker wrote: > [email protected] wrote: >> On Thu, Jun 11, 2009 at 12:39:25PM -0500, Shawn Walker wrote: >>> I feel like peer verification has to be under customer control >>> because the repository requiring the certificate may be their own >>> and so a CA Cert may not be available for whatever reason. >> >> In this case, the customer has a self-signed certificate and can place >> that cert in the site-specific certs directory described in case #2 of >> the proposal. > > See my other reply about the depot and cherrypy limitations. A CA Cert > may not be possible/supported.
I saw your subsequent comment, but it didn't make sense to me. Somebody has to sign the server's key. When that somebody is a trusted third party, we generally refer to the somebody as a Certificate Authority (CA). Are you saying that CherryPy uses SSL for encryption but not authentication? I.e. it doesn't request the client's certificate as part of the SSL handshake? In that case, I'm still pretty sure that it has to present its own server certificate. If so, the client still wants to verify that it trusts the signature on the key in the server's certificate. If you have a SSL CherryPy depot set up, or have instructions for how to do this somewhere, I'd be happy to test the client against it. We can use those results as a basis for further discussion, if you'd like. > In other words, control over peer verification, is in my view, > necessary. However, I wasn't trying to suggest *when* it would happen; > just that it should at some point. I would hope that it's not necessary, but if it is, then I agree that this should probably be a per-repository option. -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
