(keitai-l) Re: question regarding SSL and mobiles

From: Curt Sampson <cjs_at_cynic.net>
Date: 12/31/06
Message-ID: <Pine.NEB.4.64.0612311021130.2384@localhost>
Well, very late reply here, but:

On Tue, 19 Dec 2006, Kris Honeycutt wrote:

> According to the carrier sites, the GeoTrust cert "should" be
> recognized, but I believe it is an issue of it having been issued from
> GeoTrust in the US and not GeoTrust Japan.

I've used GeoTrust certs on keitai sites before. Most likely, they've
signed the cert with another cert that is in turn signed by the cert the
phone knows. So the chain of trust looks like this:

     A	GeoTrust root cert, and the one the phone has
     B	GeoTrust signing cert, signed by A
     C	Your cert, signed by B

If I am correct, and this is the situation I've seen before, the phone
can't verify C because it doesn't have a copy of B. The solution is to
send both B and C to the phone, which will verify that C is signed by B,
which it also got from you, and then verify that B is signed by A, which
it has in its internal list of trusted certs.

The details of how to do this are not perfectly trivial, and depend on
what web server you're using, but this is enough informatio to help a
knowledgable person fix the problem.

And for my obligatory shameless plug, Starling Software can supply such
an expert for a fee, if you don't have one handy. I suspect that there's
more than one or two others on the list who can deal with this sort of thing,
too.

(I wonder if we don't want to start a little directory of companies
providing keitai-related technical services in English.)

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974

Mobile sites and software consulting: http://www.starling-software.com
Received on Sun Dec 31 03:27:40 2006