[OpenID] [security] Trust + Security @ OpenID
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Jul 21 14:03:58 UTC 2007
Apache web servers come many times with a CA bundle installed (mostly
Linux distributions). This is usually a dump from the NSS (Mozilla)
store. One can add easily more PEM encoded certificate to that bundle -
all the ones you want to trust. Implementation can require valid
certificates traceable back to a root in the CA bundle.
I don't know much about IIS (anymore), but I guess the same could be
possible there, using the local machine store.
Eric Norman wrote:
> On Jul 20, 2007, at 8:30 AM, Johnathan Nightingale wrote:
>
>
>> As Dmitry observes, the protection it offers is useless if there are
>> http (i.e. non-SSL/TLS) links in the chain.
>>
>
> True enough. But there's more. Many will argue that such
> protection is also useless unless the correct trust anchors
> (some folks call them "root" certificates) are deployed at
> the correct places. This is far easier to say then accomplish.
>
> Eric Norman
> http://ejnorman.blogspot.com
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: startcom at startcom.org
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070721/df019627/attachment-0002.htm>
More information about the general
mailing list