On 10/04/2010 02:25 PM, Michal Kleczek wrote:
Sure - I understand that.
My point is actually that it requires trust relationship with the code server.
In other words - for me to securely communicate with you we both have to trust
a single third party (the code server). I don't want that - I just trust you
but neither you nor I have the necessary infrastructure to have a trusted code
server - can we still securely communicate using GMail as our code server?.
Yes we can. But not for the part of downloading the code from gmail.
I guess you are refering to the case where the code is provided by
another place than where the ServerEndpoint is located. And the code
providers tls session does not have access to the private key that was
used for signing the code. I haven't thought about that one (yet). But i
guess that one is also solvable.
My original thinking was about a code server service, running on the
same ServerEndpoint as the service.
Gr. Sim
