OSX sslcacertfile and GMail (Basic help)

Nicolas Sebrecht nicolas.s-dev at laposte.net
Tue May 19 10:22:09 BST 2015


On Tue, May 19, 2015 at 09:45:55AM +0200, Rainer M Krug wrote:

> I don't know - if to let offlineimap fetch the certificates would result
> i duplication of the certificates in the keychain, it would not be a
> disadvantage and to let the user fetch the certificate would be the
> better solution (as Safari is installed, it would be a minor
> inconvenience - if one has to use Mail, it would be a problem). But if
> offlineimap would add a missing certificate in such a way that It will
> be used by other applications as well in the "OSX way of doing things",
> that would be perfect.

Other side notes.

Currently, packaging certificates is the responsabiility of the OS
distributors (Microsoft, Apple, Linux distributions, etc). AFAICT, they
embed commonly used certificates and provide (sometimes poor) tools to
manage those.

If the user need a certificate which is not packaged, the policy is to
let him do the job of adding it in the software database manually.

Because of this, some advanced softwares (internet browsers, mail
readers, etc) might automatically fetch the required certificates for
the users and use them (once accepted). In this case, I'm pretty sure
they always collect them for their own usage.

Managing certificates at system level requires administration rights. It
is not expected a simple user or a software to manage them.

I'm not aware of neither a standard path nor a standard format to manage
certificates at the user level (without administration rights) so they
can be used across softwares.

-- 
Nicolas Sebrecht




More information about the OfflineIMAP-project mailing list