Paul wrote: >> It's possible to download and install all certs of the >> Windows root certificate program: >> http://support.microsoft.com/?scid=kb%3Ben-us%3B931125&x=14&y=13 >> (or google for "KB931125") >> >> They are a lot! > > thanks a lot,
You are welcome. Probably you could also export the certificate store of mozilla. If you use the certs from the Windows root certificate program all those certs not supporting SSL server may be excluded from the bundle file (hardware, e-mail etc.). Anyway there was still some security leak if you do not include revocated certs in the validation process. The SslContext provides two properties for this purpose: SslCrlPath and SslCrlFile. I'm currently thinking about a solution to automatically download and include certificate revocation lists from the URI specified in some certificates (some revocation lists are pretty large, over 1900 revoked certs). But that's not all, OSCP seems to become popular which is also supported by OpenSSL, mozilla provides it as well. Sounds like a lot of work :( -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
