On Sat, Jan 3, 2009 at 4:34 PM, Peter Watkins <span dir="ltr"><<a href="mailto:peterw@tux.org">peterw@tux.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<br>Can't you "just" add the CAs to trusted roots for the Windows account<br>that the <a href="http://asp.net" target="_blank">asp.net</a> app runs as? </blockquote><div> </div>Not while that <a href="http://ASP.NET">ASP.NET</a> app is running with medium trust. <div>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Sat, Jan 3, 2009 at 4:34 PM, Peter Watkins <span dir="ltr"><<a href="mailto:peterw@tux.org">peterw@tux.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
Can't you "just" add the CAs to trusted roots for the Windows account<br>
that the <a href="http://asp.net" target="_blank">asp.net</a> app runs as? I supposed it'd be tougher for folks<br>
using integrated auth & impersonation, but I also expect most <a href="http://asp.net" target="_blank">asp.net</a><br>
webapps doing OpenID auth aren't using impersonation. Similarly, I'd<br>
expect to be able to remove CA certs from the <a href="http://asp.net" target="_blank">asp.net</a> webapp user's<br>
profile in order to shorten the CA whitelist.<br>
<br>
I don't know how tough it is to edit the root certs for the profiles of<br>
app pool-type accounts, and hope you'll forgive my not firing up<br>
Studio on a Saturday night to see if there's an obvious API. :-)<br>
<br>
On *nix it's usually pretty straightforward -- find the keystore<br>
holding root certs and manipulate it via OpenSSL, Java keytool,<br>
or whatever app is appropriate for the environment. Is it not the<br>
same in Windows?<br>
<font color="#888888"><br>
-Peter<br>
</font><div><div></div><div class="Wj3C7c"><br>
On Sat, Jan 03, 2009 at 03:24:37PM -0800, Andrew Arnott wrote:<br>
> Definitely some interesting thoughts in there.<br>
> I'll add one more: while it makes a sensible default for Microsoft to cause<br>
> .NET connections to HTTPS servers without a signed cert by a known good CA<br>
> to fail, it doesn't seem like it should require the whole machine to trust<br>
> the individual web site if that web site wishes to go ahead and make a<br>
> connection. Crying out loud: if a partial trust web site can initiate an<br>
> HTTP connection to a random server (which it can, with GoDaddy's small<br>
> deviation to Medium Trust), why couldn't it also open an HTTPS connection in<br>
> order to encrypt the traffic, and decide to be its own judge on the validity<br>
> of that certificate?<br>
><br>
> I'm going to poke around Microsoft and see if I can't get this policy<br>
> changed so that .NET clients can approve of these certs signed by<br>
> lesser-known CAs.<br>
</div></div></blockquote></div><br></div>