[Psi-devel] account defaults don't work for google talk
textshell-I1QKlO at neutronstar.dyndns.org
textshell-I1QKlO at neutronstar.dyndns.org
Thu Mar 1 15:27:15 PST 2007
On Thu, Mar 01, 2007 at 06:17:10PM -0500, Hal Rottenberg wrote:
> On 3/1/07, textshell-I1QKlO at neutronstar.dyndns.org
> > > With GOOGLE-TOKEN, we *can* impose that the certificate must validate,
> > > because there is only one login server, and it is a part of the
> > > authentication mechanism (not an exception for a server).
> > >
> >
> > We could force users to import their servers certs into psi and
> > only then use PLAIN over TLS if the user selected the
> > "plaintext over encrypted" option.
>
> Someone correct me if I'm wrong, but I was under the impression that
> QCA2 already supports a tri-platform OS certificate store, thus making
> this a pretty good option. At least on Windows where it's pretty
> trivial to add a cert, there's a wizard and everything.
>
> At least this was what I had talked about with Justin before he got
> too far into QCA2. I don't know if this was finished however.
>
It does. But there a two problems:
1) adding to the store used by qca is non trivial on unix (because there isn't really
a well agreed upon common one with good gui utils)
2) The user might not want to trust that pseudo CA to sign certificates used by in
webbanking and would prefer to add it locally for psi.
i just asked on the muc, qca2 uses windows/IEs normal certstore
but if you say those are ok, qca2 does everything needed, no problem.
On my setup gmail.com doesn't show up a cert warning....
- Martin
More information about the psi-devel
mailing list