[sldev] [POLICY] Development by consensus (Re: Question regarding upcoming maintenance on 11/27-

[Matthew Dowd]

Yes, you are quite right - I was thinking of complete certificates including the private keys.

You will need the public keys of CAs you are willing to trust.

Matthew
________________________________
> Date: Thu, 29 Nov 2007 08:23:39 -0800
> From: odysseus654 at gmail.com
> To: matthew.dowd at hotmail.co.uk
> Subject: Re: [sldev] [POLICY] Development by consensus (Re: Question regarding upcoming maintenance on 11/27-
> CC: alissa_sabre at yahoo.co.jp; sldev at lists.secondlife.com
> 
> What do you mean you don't need a client cert to do server side validation?  Most clients that I know have a good dozen certs to check servers against, especially if they're verifying the certificates.  The only reason why they'd need to package one with the client that I know of is (1) they don't want to use one of the more "standard" root certs like Verisign or Thawte, or (2) they're using their own SSL libraries and they are only shipping a single root cert with it.
> 
> On 11/29/07, Matthew Dowd> wrote:
> 
> Intriguing.
> 
> You don't need a client side certificate to do server side validation so it is unlikely that this is being used to check which server you are authenticating against (a good check would be to see if the viewer can still work with OpenSim).
> 
> A client side certificate is normally used to authenticate the client, but that is unlikely to be the case as that would break third party clients connecting to SL.
> 
> Of course, a self-signed certificate is not much use authenticating anything. My guess is that it is just there for seeding the creation of encrypted connections and nothing more.
> 
> Matthew
> 
> ----------------------------------------
>> Date: Thu, 29 Nov 2007 21:13:43 +0900
>> From: alissa_sabre at yahoo.co.jp
>> To: sldev at lists.secondlife.com
>> Subject: Re: [sldev] [POLICY] Development by consensus (Re: Question regarding        upcoming maintenance on 11/27-
>>
>>> I'm not convinced that there's a certificate check taking place. There
>>> _might_ be, but that's one aspect I'm not certain about.
>>
>> I recently noticed that SL viewer comes with a certificate.  (In a
>> past it didn't.)  It is installed in the "app_settings" subdirectory
>> of your viewer install directory.
>>
>> The certificate is a self-signed CA certificate (aka root cert) for
>> the following DN:
>>
>>     C=BR
>>     O=ICP-Brasil
>>     OU=Instituto Nacional de Tecnologia da Informacao - ITI
>>     L=Brasilia
>>     ST=DF
>>     CN=Autoridade Certificadora Raiz Brasileira
>>
>> If you remove this certificate or alter it, you can't login to the
>> grid.  (Unless you pass a command line option -no-verify-ssl-cert.)
>>
>> It appears that the viewer validates something against this
>> certificate, most likely the login server's identity (certificate.)
>>
>>     Alissa
>> --------------------------------------
>> New Design Yahoo! JAPAN  2008/01/01
>> http://pr.mail.yahoo.co.jp/newdesign/
>> _______________________________________________
>> Click here to unsubscribe or manage your list subscription:
>> /index.html
> 
> _________________________________________________________________
> Who's friends with who and co-starred in what?
> http://www.searchgamesbox.com/celebrityseparation.shtml_______________________________________________
> Click here to unsubscribe or manage your list subscription:
> /index.html

_________________________________________________________________
Get free emoticon packs and customisation from Windows Live. 
http://www.pimpmylive.co.uk