[isapros] Solution for Fred's Certificate Problem
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Tue, 16 May 2006 14:42:39 -0500
Fred posted to the ISA/SBS MVP list that he was having problems with
wildcards certs. I think we have a solution here:
A month ago, I posted about some of the limitations of Windows Mobile
5.0's handling of certificates
<http://blogs.3sharp.com/Blog/deving/archive/2006/02/15/1248.aspx> . In
the comments, Exchange MVP Ben Winzenz <http://winzenz.blogspot.com/>
informed me about a registry hack you can perform on your WM5.0 device
that disables certificate checking. He posted more details
<http://winzenz.blogspot.com/2006/03/hacking-your-windows-mobile-50.html
> on his own blog. This is pretty cool stuff, because it allows you to
get SSL working even if your device doesn't have the root certificate
used by your Exchange SSL cert, or if you're using a wildcard cert for
Exchange (which many companies do).
However, there's still a fly in the ointment -- and that is that not
everyone is going to be able to get to the registry. Ben and I are both
using unlocked devices that give us management access to everything we
need -- the registry, the Trusted certficate store (so we can load new
trusted root certificates), RAPI for firmware updates -- to completely
control our devices. Many of the users who will be buying devices from
Verizon, T-Mobile, Cingular, and other carriers won't be so lucky. Their
devices will be locked; they won't be able to mess with the registry,
and many carriers are not rolling out the utilities to update the root
certificate store, so they'll be stuck with whatever CAs the carriers
see fit to include.
Windows Mobile 5.0 is a great step forward, don't get me wrong. I use it
and love it, especially now that I have upgraded to the MSFP. However,
it is important to remember the business model used for WM differs from
standard Windows. Windows Mobile is not sold to end-users; it is sold to
device manufacturers and telco carriers/operators. They are the ones who
decide what the final feature loadout will be and how the devices will
be configured, not the people who purchase them.
The moral of the story? Choose your OEMs and carriers carefully. Get
test units and make sure you're going to be able to get all the features
you need working before doing a full deployment. If your carrier doesn't
offer a configuration that meets your needs -- or won't work with you to
get the tools you need to modify the configuration -- then find someone
who does.
Blog at: http://blogs.3sharp.com/blog/deving/
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
Other related posts:
