Re: Network security manager

[Lars Magne Ingebrigtsen]

Toke Høiland-Jørgensen <address@hidden> writes:

> Tangentially related, one thing I would like to be able to have, is to
> have multiple fingerprints stored for the same host,post tuple *at the
> same time*. I run into this problem with servers that do round-robin to
> different servers with different certs for the same hostname. I'd like
> to be able to store all of them at once (by, for instance, connecting a
> bunch of times and trusting the certificates one by one, and then know
> that after that a mismatch should be considered suspicious).

That should be easy to implement -- we can just allow the :fingerprint
slot to be a list and check against that.

But what would the user interface say?  Today it says

The fingerprint for the connection to %s:%s has changed from\n%s to\n%s
Connect anyway?  (no, session only, always)

So...  erm...  

Connect anyway?  (no, session only, always, add new fingerprint)

No, that's two "a"'s...

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no