[sldev] [POLICY] Development by consensus (Re: Question regarding upcoming maintenance on 11/27-

[Erik Anderson]

What do you mean you don't need a client cert to do server side validation?
Most clients that I know have a good dozen certs to check servers against,
especially if they're verifying the certificates.  The only reason why
they'd need to package one with the client that I know of is (1) they don't
want to use one of the more "standard" root certs like Verisign or Thawte,
or (2) they're using their own SSL libraries and they are only shipping a
single root cert with it.

On 11/29/07, Matthew Dowd <matthew.dowd at hotmail.co.uk> wrote:
>
>
> Intriguing.
>
> You don't need a client side certificate to do server side validation so
> it is unlikely that this is being used to check which server you are
> authenticating against (a good check would be to see if the viewer can still
> work with OpenSim).
>
> A client side certificate is normally used to authenticate the client, but
> that is unlikely to be the case as that would break third party clients
> connecting to SL.
>
> Of course, a self-signed certificate is not much use authenticating
> anything. My guess is that it is just there for seeding the creation of
> encrypted connections and nothing more.
>
> Matthew
>
> ----------------------------------------
> > Date: Thu, 29 Nov 2007 21:13:43 +0900
> > From: alissa_sabre at yahoo.co.jp
> > To: sldev at lists.secondlife.com
> > Subject: Re: [sldev] [POLICY] Development by consensus (Re: Question
> regarding        upcoming maintenance on 11/27-
> >
> >> I'm not convinced that there's a certificate check taking place. There
> >> _might_ be, but that's one aspect I'm not certain about.
> >
> > I recently noticed that SL viewer comes with a certificate.  (In a
> > past it didn't.)  It is installed in the "app_settings" subdirectory
> > of your viewer install directory.
> >
> > The certificate is a self-signed CA certificate (aka root cert) for
> > the following DN:
> >
> >     C=BR
> >     O=ICP-Brasil
> >     OU=Instituto Nacional de Tecnologia da Informacao - ITI
> >     L=Brasilia
> >     ST=DF
> >     CN=Autoridade Certificadora Raiz Brasileira
> >
> > If you remove this certificate or alter it, you can't login to the
> > grid.  (Unless you pass a command line option -no-verify-ssl-cert.)
> >
> > It appears that the viewer validates something against this
> > certificate, most likely the login server's identity (certificate.)
> >
> >     Alissa
> > --------------------------------------
> > New Design Yahoo! JAPAN  2008/01/01
> > http://pr.mail.yahoo.co.jp/newdesign/
> > _______________________________________________
> > Click here to unsubscribe or manage your list subscription:
> > /index.html
>
> _________________________________________________________________
> Who's friends with who and co-starred in what?
>
> http://www.searchgamesbox.com/celebrityseparation.shtml_______________________________________________
> Click here to unsubscribe or manage your list subscription:
> /index.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20071129/9c8e1fee/attachment-0001.htm