Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D04D510D21 for ; Wed, 11 Dec 2013 15:52:29 +0000 (UTC) Received: (qmail 84805 invoked by uid 500); 11 Dec 2013 15:52:29 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 84638 invoked by uid 500); 11 Dec 2013 15:52:28 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 84609 invoked by uid 99); 11 Dec 2013 15:52:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Dec 2013 15:52:27 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [208.65.78.88] (HELO smtp-p01.blackberry.com) (208.65.78.88) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Dec 2013 15:52:19 +0000 Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs210cnc.rim.net with ESMTP/TLS/AES128-SHA; 11 Dec 2013 10:51:58 -0500 Received: from XCT109CNC.rim.net (10.65.161.209) by XCT106CNC.rim.net (10.65.161.206) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 11 Dec 2013 10:51:58 -0500 Received: from XMB111CNC.rim.net ([fe80::fcd6:cc6c:9e0b:25bc]) by XCT109CNC.rim.net ([::1]) with mapi id 14.03.0123.003; Wed, 11 Dec 2013 10:51:57 -0500 From: Josh Soref To: Cordova Dev Subject: Re: Support self-signed certs in FileTransfer Thread-Topic: Support self-signed certs in FileTransfer Thread-Index: Ac72iOuBIDBlYCdMSHmiBQg1lUcVqQ== Date: Wed, 11 Dec 2013 15:51:56 +0000 Message-ID: <20131211155156.24318101.61301.7374@blackberry.com> Accept-Language: en-US, en-CA Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="iso-8859-1" Content-ID: <723AE55E14ABFA4C9462A0539A9265F7@rim.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Ian wrote: > There was some talk on the list a couple months ago about this -- not for > file-transfer specifically, > but the general idea of supporting custom certificates, or CAs in Cordova. This came up yesterday in the office.=A0 > I think that, after a number of emails, we concluded that for users who > have legitimate custom certificate requirements, that there should be > os-policy-level mechanisms for adding custom certs, and that the individu= al > application was the wrong level to be managing them.=A0 I made the opposite argument. Users will not be able to do anything useful = with global stores. The result is that unrelated applications will still / = misappropriate certificates. = Google is supporting zero trust: http://www.scmagazine.com.au/News/367057,googles-plan-to-kill-the-corporate= -network.aspx http://www.darkreading.com/perimeter/forrester-pushes-zero-trust-model-for-= se/227500145 While you might be OK with a prompt to enter an RSA token, you could easily= not recognize that the requesting party shouldn't be given it.=A0 Browser developers failed miserably the first time that client certificate = UI was designed - Neither the "automatic selection" nor the "prompt user fo= r certificate" choices work safely.=A0 --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential info= rmation, privileged material (including material protected by the solicitor= -client or other applicable privileges), or constitute non-public informati= on. Any use of this information by anyone other than the intended recipient= is prohibited. If you have received this transmission in error, please imm= ediately reply to the sender and delete this information from your system. = Use, dissemination, distribution, or reproduction of this transmission by u= nintended recipients is not authorized and may be unlawful.