Nicolas Roumiantzeff wrote:
>
> Yes I think both solution are equivalent from a crypto point of view and are
> both definitively better than unstaling manualy a CA cert through an
> unsecured download.
>
> There might be to practical difference though:
>
> 1) I am not sure that the browser (IE and NN) UI will let the user make the
> difference between installing a CA cert through a secured SSL connection and
> through an unsecured connection.
>
> 2) And most important, with the ActiveX and Plug-in/SmatUpdate scheme, you
> can automatically detect if the CA cert has already been installed or not.
>
There are some other practical differences between the two.
When you add a CA via an API call from ActiveX control or any other
method in IE you still can get a series of dialog boxes asking you first
if you want to download the control. AFAIK you always get a box asking
whether you want to add the root CA.
With Netscape the method of adding a CA via a plugin works only under
Windows and could be regarded as a security hole in Netscape which could
be plugged at any time.
With Netscape you also get lots of dialog boxes asking if you really
want to let this stuff potentially write all over your hard disk.
On the plus side ActiveX controls and Netscape signed stuff doesn't
expire when the certificates do. If you serve up stuff with SSL the
certificate needs to be up to date.
On the minus side many people are very wary of ActiveX controls because
they can either deliberately or accidentally open up security holes.
Netscape signed objects are a bit more primitive: they allow expired
certificates to be used and don't do revocation checking.
Speaking personally on balance I'd be much happier adding a CA
certificate over SSL than running a signed object.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
