On Wed, Sep 18, 2013 at 03:24:36PM +0200, Christophe Fergeau wrote: > On Wed, Sep 18, 2013 at 02:11:20PM +0100, Daniel P. Berrange wrote: > > For SPICE though, users are pretty unlikely to be purchasing certs > > from the commercial CA (protection racket) vendors. They'll almost > > certainly be using their own internal CA. > > > > The question is, would they be likely to append their own private > > CA onto the list of the global certs ? I'm somewhat sceptical. > > I wrote this patch while fixing certificate handling in remote-viewer > ovirt code. When using oVirt, the same CA is used for the web > portal/REST API and for the SPICE TLS connections. In such a setup, I don't > think it's unlikely that the private CA will get added to the global certs > so that the web portals work without warning screens. > When this happens, this means that remote-viewer will be able to use > the oVirt REST API without needing to specify any CA, but the SPICE > connection will fail because no CA will have been set (--spice-ca-file). > With this patch, REST and SPICE certificate checks will work/fail for the > same hosts. > > > Personally I'm not convinced SPICE should use the global CA list > > by default. > > For what it's worth, I'm not entirely convinced either that this patch is a > good idea ;) At the very least, if we want to use a global CA list, then if the user specifies a custom cacert file for SPICE, this should completely block any use of the global CA list. That ensures users can setup a strictly locked down setup where they're not exposed to risks of the commercial CA vendors. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel