It’s sometimes hard to visualize what’s going on with Git when you’re unfamiliar with it, and not everybody is familiar with the concept of a Directed Acyclic Graph, so to help get everyone up to speed, we ordered a Tinkertoy set.

There are probably better ways to spend Monday morning at work than putting together a Tinkertoy model of a Git repository, but I can’t think what they might be.

As with many products before, I fall somewhere in the middle.

On the plus side: It looks like a beautiful piece of hardware; every report I have read says that using it is a dream come true to any fan of the various iTouches. Fast, integrated, smooth, and with beautiful user interface decisions; top of the line hardware and (more polish on) groundbreaking software combine to make an unbelievable platform, and one which the vast majority of people will find satisfies their needs and exceeds all their expectations.

On the minus side: Apple has made, and will continue to make, an intentionally crippled and limited device in the name of a better overall user experience. While I wholeheartedly agree with their goals – make it accessible to the common man! – it is simply not what I, as a power user who is otherwise well in the target market, need in many respects.

Any number of minor concessions would solve this problem for me – and these are the same issues I have with any “trusted computing” sort of platform. It is not my best interests that Apple is trying to protect here, either as a developer or as an individual user. It is theirs, and it is not in their best interests to allow me to, for instance, decide whose software I actually trust.

No, I’m not trying to run Linux on the thing. It runs a perfectly acceptable *NIX operating system already, and in fact has a fantastic GUI (for almost every purpose) and software installation procedure (for almost every case) already. I just want to run my instant messenger and Pages. Even just the ability to background one application (with – yes, I realize this – the appropriate time and attention put in to making the experience smooth and complete) would make a huge difference in the overall usability.

I’d really like to run Processing on it. It’s just such a perfect platform for art-programming, and there’s nothing else quite like Processing for that.

But that’s all. I don’t want a pony.

Another time I’ll talk about a bunch of nonsense regarding the details of SSL and some of the strange things that have come out of it, but for the moment, one specific thing stands out.

Part of an X509 certificate is an optional piece of metadata called a Subject Alternative Name, or SAN. If you take a peek at an SSL certificate that provides one, you’ll see something like this:

Certificate:
    Data:
        [...]
        Subject: C=US, ST=CA, L=Cupertino, O=Apple, Inc., CN=*.example.com
        [...]
        X509v3 extensions:
            [...]
            X509v3 Subject Alternative Name:
                DNS:specific.example.com, DNS:example.com, DNS:*.example.com

Normally a client connecting to https://example.com/ will get a domain mismatch certificate error, because the CN *.example.com does not either exactly or via wildcard match example.com. However, a large number of clients also examine the list of SAN DNS names to validate the domain; since example.com shows up in that list, no error will be displayed.

Every major browser – IE, Firefox, Opera, Safari, and even the venerable Netscape Navigator have supported SANs since at least 2003. Surprisingly, Internet Explorer has supported them since Win98 (yes, that means they work in IE6, for those keeping count). Many mobile devices also recognize them – certainly the newest crop of WebKit-based and Android mobile browsers, but also things like Symbian 9.2+ and Windows Mobile 5 and 6.

Furthermore, SANs can be used to cause certain mail clients to stop complaining about connecting to a mail server that services multiple domains under one IP. Since these same mail clients are often configured to recognize an internal CA, rolling up all the possible names into the SAN list on a single certificate can save a pile of headache.

Why hasn’t this been more widely advertised and well-known? Because many certificate authorities are more in the habit of selling encryption than verification, and so would very much like to charge you for every single line in the certificate and every single reissue of the same certificate with slightly different metadata (say, a different set of SAN entries, in this case) rather than charging you for their performing trusted due diligence to ensure that you are who you claim to be and that you have the rights you claim to have over the subjects (in this case, domain names) in question.

Thanks a lot, “trusted” authorities. Way to instill confidence in your services.

There are a few respectable exceptions, of course, and a few web-of-trust CAs which perform the services for free or for reasonable, nominal charges. The web-of-trust CAs tend to have less or no native browser support, which makes them less suitable for general purpose commerce, but for those in the know (or a known browser demographic) they can be a fantastic alternative.

I’m currently a fan of DigiCert for business use, and StartCom for personal use. As a side note, many domain registrars (such as Gandi) also provide a free basic 1-year SSL certificate with purchase of a domain name.