[Psi-Devel] "Remember" option on certificate warning

Jesse Thompson jesse.thompson at doit.wisc.edu
Thu Feb 19 11:06:20 PST 2009 

Justin Karneges wrote:
> On Thursday 19 February 2009 07:00:15 Jesse Thompson wrote:
>> It's not as simple as just getting a certificate for each domain.  If
>> you're a hosting provider, you don't have the authority to request
>> certificates for every domain you host.
>>
>> So, does that mean you will require the customer to provide you with a
>> new certificate in the 3 day renewal period every year when it expires?
> [...]
>> Even if you could obtain the certificates, the process of keeping them
>> up to date does not scale well.  If you host 10 domains, that's 10 times
>> you need to do server maintenance per year.  If you host 100 domains...
> 
> This is exactly how it works for web hosting.  I have to yearly renew my https 
> cert, just like a million other people have to.  I understand it's a pain in 
> the ass, but I don't see why IM security should be treated differently and 
> compromised.

Perhaps.  But I don't have experience running a web hosting service. 
How have the web hosting providers solved this problem?  Do the server 
administrators have to manually install every certificate?

I do, however, have experience with email hosting.  Email clients are 
able to connect securely to an email hosting provider without the 
provider having a valid certificate for the email domain.  I think IM 
hosting is more closely related to email hosting than with web hosting.


>> I would like Psi to have the option to let the user click "always trust
>> this server/certificate for this domain".  FS#111 addresses this issue
>> for self-signed certificates, but not for signed nonmatching certificates.
> 
> In any case, we plan to support this.

That's great!

Jesse


> 
> -Justin
> _______________________________________________
> Psi-Devel mailing list
> Psi-Devel at lists.affinix.com
> http://lists.affinix.com/listinfo.cgi/psi-devel-affinix.com

-- 
   Jesse Thompson
   Division of Information Technology, University of Wisconsin-Madison
   Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3340 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.affinix.com/pipermail/psi-devel-affinix.com/attachments/20090219/2b0d75da/attachment.bin>

More information about the Psi-Devel mailing list