[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: ssl auth failure gui: does "continue" do what I think it does?
From:       Anthony Moulen <ajmoulen () alum ! mit ! edu>
Date:       2009-06-11 14:16:48
Message-ID: 200906111016.48730.ajmoulen () alum ! mit ! edu
[Download RAW message or body]

>  On Wednesday 10 June 2009 20:42:12 Anthony J Moulen wrote:
>> If you work inside a large corporate environment you will probably find
>> a lot of self signed certificates.  If they have done the right thing they
>> will have established an internal signer to sign all the certificates, but
>> many won't do this, or with hundreds of test environments it isn't cost
>> effective to really manage anything but self signed with long
>> expiration dates.
>
>You raise good points but at the same time, the use-case for the dialog
> should not be adjusted toward making it easier for large corporations to
> click- through their broken certificates.
>
>Large corporations that use KDE will not be compiling it from kde.org but
> will instead be purchasing it via a distribution vendor, who can make any
> necessary dialog fixups/changes to support the needs of the corporation.
>
I work for a sizable corporation, and I have compiled my own KDE as well as 
using a distribution package, nothing special was done with this.  But not 
sure how this really applies, I wouldn't advocate that KDE should change their 
design because of this, I am stating that self-signed certificates are not 
inherently bad, that it is situational.  There are cases where they are 
better, and places where they are worse than commercial certificates.  To say 
that they are just bad is associating the certificates directly with security 
rather than encryption.  They do not provide security by themselves, and 
unless you check every certificate manually, a self signed certificate at the 
least causes you a moment of pause to think about what you are about to do 
while a commercial cert you just race on ahead with.  

We could get into the whole, "The Problem with the Internet is..." discussion 
but that is way off topic.  Cleaning up the SSL warning dialog would definitely 
be helpful.  Unifying the dialogs would also be helpful (I think kmail has its 
own dialog which is different for SSL/TLS protocol servers from konqueror).

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]