On Wed, Sep 18, 2013 at 02:11:20PM +0100, Daniel P. Berrange wrote: > For SPICE though, users are pretty unlikely to be purchasing certs > from the commercial CA (protection racket) vendors. They'll almost > certainly be using their own internal CA. > > The question is, would they be likely to append their own private > CA onto the list of the global certs ? I'm somewhat sceptical. I wrote this patch while fixing certificate handling in remote-viewer ovirt code. When using oVirt, the same CA is used for the web portal/REST API and for the SPICE TLS connections. In such a setup, I don't think it's unlikely that the private CA will get added to the global certs so that the web portals work without warning screens. When this happens, this means that remote-viewer will be able to use the oVirt REST API without needing to specify any CA, but the SPICE connection will fail because no CA will have been set (--spice-ca-file). With this patch, REST and SPICE certificate checks will work/fail for the same hosts. > Personally I'm not convinced SPICE should use the global CA list > by default. For what it's worth, I'm not entirely convinced either that this patch is a good idea ;) Christophe
Attachment:
pgpNfosCEyCUw.pgp
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel