|
 Originally Posted by bpdamas
I do not think that I am missing the point. They are not using certificates at all. Is it possible to make something "secure" without using certificates? If the answer is no then my IT department is all sorts of backwards. If the answer is yes, then maybe you will start getting my point.
But, you're talking in circles. Here was your previous statement:
 Originally Posted by bpdamas
If your IT department basically has the security and encryption given by SSL and certificates, what is the point of another certificate just to make a phone work? That is why I think they should make it an option.
(my emphasis added). Your previous post implied that your IT department already had certificates.
To broadcast over SSL, a server must have a certificate. It's part of the protocol.
Most SSL client programs (such as browsers) require that you accept a certificate. Internet Explorer does this, as do most other browsers. The primary differences in what Palm is doing are:
- They are requiring that you import the certificate, you can't just acknowledge it (as in IE). Whether or not this is a mistake is debatable, but personally I don't think it is.
- They (apparently) have a bug that will not accept multiple CNs, which many self-signed certificates have.
 Originally Posted by bpdamas
...
All in all, I am not trying to be confrontational. I am simply not understanding why palm didn't include this as an option. I really am enjoying this phone. To be honest, I would just like to get this EAS thing figured out without having to do any work. So if palm send and update I will keep the phone. If they don't, I might not keep it. I haven't decided that yet.
Keep in mind that if Palm had not set things up so you imported the certificate, they would have been forced to do one of two things:
- Accept questionable certificates without having the user acknowledge them. This would be a big security issue for the Pre.
- Force the user to acknowledge the problem certificate each time the application ran! That means that each time your Pre established a new connection, you would have to acknowledge the problems with the cert (just as you do with IE and other browsers when a cet has issues).
By having the user import the certificate once, they will not have to acknowledge it again. Where Palm erred was in not properly accepting the self-signed certs.
|
|
|