--- Howard Chu <hyc at symas.com> wrote: > Stop for a moment and think that through. If you don't configure the > client with a set of CAs to trust, then the only way to make the TLS > handshake work is to tell the client not to attempt to verify the > server's cert at all. That means any server can present any ol' made up > certificate, claiming to be any entity, and the client will just blindly > trust it. oops, you're right, I didn't think that through. Of course. it just seems that managing CA certs on the clients would be a real pain. Besides, is there any way within this whole FDS framework to revoke Certs? If the ldap server is compromised, how do I tell the clients not to trust it (or the CA or both) anymore??? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
