Re: Validating SSL certificates

[amol.dabholkar () gmail com]

Hi Erik
I assume that you have a standalone software that you give to your customers and which can be used offline. The 
software then is under the complete control of your untrusted customer.
In that case, I do not see how you can avoid hardcoding the root cert in your code (or a thumbprint that you can use to 
verify that the root cert on the client side trust store is the one you used to sign the client cert)
If your self signed root cert is outside of your program, the untrusted customer can easily replace it by their own 
cert chain since everything in the customer environment other than the binary executable is in the customer control.
Ofcourse, if the customer is really determined he can always crack the binary, but as a minimum safegaurd i would think 
hardcoding the root cert in the program is necessary.
regards
Amol

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------