On Sun, Nov 21, 2010 at 04:45:34PM +0000, David Woolley wrote: > Etan Reisner wrote: > >> >> To answer this again: http://developer.pidgin.im/wiki/MSNCertIssue > > As this is telling people to do something potentially dangerous, I think it > should also tell them to check that the issuer and subject on each > certificate is different, i.e. that they are not being fed a potentially > bogus root certificate. > > It may be safe to fetch the intermediate certificates from an untrusted > source, but only if they really are only intermediate ones. At least I > think that is true, but it is possible that openssl will stop when it finds > a locally trusted intermediate certificate, in which case they need to > verify the certificate chain before installing them. > > I know that some browsers will accept a locally trusted leaf certificate, > even though they don't trust the corresponding root.
People don't understand certificates. At all. Which is why they were perfectly willing to download certificates for the omega server from any blog/host that happened to have them up. That page is hosted on the pidgin.im server, the pem files come from the pidgin source, those exact files will be in the next release of pidgin which people will implicitly trust when they upgrade, etc. Any text talking about verifying things is going to complicate and confuse the situation more than I think it could possibly help though I do appreciate the thinking that goes into requesting it. I'm open to adding a note to the bottom explaining the potential dangers with doing this sort of thing but anything more than that I think would be too much. -Etan _______________________________________________ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support