Rants about Cincom Smalltalk

I saw Carl's recent rant about Pollock, and gave a brief reply to
it.  Here's something more: If you have similar issues (with Pollock,
Store, or any other part of Cincom Smalltalk), then please send me
those issues/complaints.

In particular, if you have been considering looking at a port from
another Smalltalk to Cincom Smalltalk, but have held off because of
Polllock's delivery schedule, then please send that along.

Thanks,



<Talk Small and Carry a Big Class Library>
James Robertson, Product Manager, Cincom Smalltalk
http://www.cincomsmalltalk.com/blog/blogView

Hi,
I'm trying to load a WSDL schema from
https://copyws.cendant.com/B2BGateway/service/XMLSelect

This schema comes easily if I point to it using a browser (Firefox), but if
I try to use WSDLClient or the WSDLWizard, I get this message:

CA Not in trust registry.

Do you have any hint? Why Firefox goes and get the schema and VW not?

This is the simple way to see the message:

wsdlClient := WsdlClient new loadFrom:
'https://copyws.cendant.com/B2BGateway/service/XMLSelect' asURI.

Should I made some different call?

Thanks for any help.

Giorgio Ferraris

Giorgio,

The issues you are facing are due the https protocol http over ssl.
Firefox and other browsers are installed with a good number of  root
certificate authorites (CA) issued by companies like Verisgn, Thwarte
etc.

VW is installed without any root certificates - and so - cannot verify
the certificates that are exchanged from the server to the client.

It would be very, very nice if VW was installed with the common root
authorities -- and so save Giorgio and myself (from past experience)
having to learn how to obtain and install the certificates.

Answers to similiar problems are at:

http://www.parcplace.net/list/vwnc-archive/0512/msg00099.html


On 31/07/06, Giorgio Ferraris <[hidden email]> wrote:

--

Edward Stow

Hi, Edward,
thanks for the answer. I'll go to investigate your mail.

Giorgio

-----Messaggio originale-----
Da: Edward Stow [mailto:[hidden email]]
Inviato: lunedì 31 luglio 2006 4.47
A: Giorgio Ferraris
Cc: [hidden email]
Oggetto: Re: Soap document - wsdl not trusted

Giorgio,

The issues you are facing are due the https protocol http over ssl.
Firefox and other browsers are installed with a good number of  root
certificate authorites (CA) issued by companies like Verisgn, Thwarte
etc.

VW is installed without any root certificates - and so - cannot verify
the certificates that are exchanged from the server to the client.

It would be very, very nice if VW was installed with the common root
authorities -- and so save Giorgio and myself (from past experience)
having to learn how to obtain and install the certificates.

Answers to similiar problems are at:

http://www.parcplace.net/list/vwnc-archive/0512/msg00099.html


On 31/07/06, Giorgio Ferraris <[hidden email]> wrote:
> Hi,
> I'm trying to load a WSDL schema from
> https://copyws.cendant.com/B2BGateway/service/XMLSelect
>
> This schema comes easily if I point to it using a browser (Firefox), but
if

--

Edward Stow

Edward Stow wrote:
I understand the sentiment, but this is easier said than done. Setting
up the trusted CA registry is a very sensitive task from the security
point of view. I have no idea what is the process that Microsoft uses to
maintain that registry for Windows, but I sure hope it is a highly
secured and thorough process. The certificate set should be regularly
reviewed and updated promptly in response to certificate revocations as
they come. This is something that we just don't have the resources for
at Cincom. I'd much rather annoy our customers out of ignorance of these
issues than end up being liable for some security disaster down the
road, because our disclaimers and warnings weren't big, red and flashy
enough. So we choose (arguably simpler for us, but hopefully safer in
the long run for you as well) way of trying to explain the issue well
enough along with providing some hints of simpler (less secure) ways of
achieving necessary setup if you can afford it. It's mentioned in those
posts that you linked to (section Handshake and Certificates in the
Security.pdf from VW7.4 on). Yes, X.509 certificates deserve a dedicated
chapter on their own and shouldn't be buried inside the SSL one, but
we'll get there.

I think the best we could do is trying to hook-up with certificate
stores of the underlying OS, assuming that the host is maintained with
at least the same level of security as the application running on it
requires (of course it's not clear that's a good general assumption).
However that is wildly different between OSs and I'm not even sure it's
standardized on all of them. For example, I wonder if the process
producing Apache's ca-bundle.crt or the way it gets bundled with various
Linux distributions would satisfy requirements of our customers
(especially the unsuspecting ones).

I hope that makes our position a bit clearer.

Martin