A month ago, I posted about some of the limitations of Windows Mobile 5.0’s handling of certificates. In the comments, Exchange MVP Ben Winzenz informed me about a registry hack you can perform on your WM5.0 device that disables certificate checking. He posted more details on his own blog. This is pretty cool stuff, because it allows you to get SSL working even if your device doesn’t have the root certificate used by your Exchange SSL cert, or if you’re using a wildcard cert for Exchange (which many companies do).
However, there’s still a fly in the ointment — and that is that not everyone is going to be able to get to the registry. Ben and I are both using unlocked devices that give us management access to everything we need — the registry, the Trusted certficate store (so we can load new trusted root certificates), RAPI for firmware updates — to completely control our devices. Many of the users who will be buying devices from Verizon, T-Mobile, Cingular, and other carriers won’t be so lucky. Their devices will be locked; they won’t be able to mess with the registry, and many carriers are not rolling out the utilities to update the root certificate store, so they’ll be stuck with whatever CAs the carriers see fit to include.
Windows Mobile 5.0 is a great step forward, don’t get me wrong. I use it and love it, especially now that I have upgraded to the MSFP. However, it is important to remember the business model used for WM differs from standard Windows. Windows Mobile is not sold to end-users; it is sold to device manufacturers and telco carriers/operators. They are the ones who decide what the final feature loadout will be and how the devices will be configured, not the people who purchase them.
The moral of the story? Choose your OEMs and carriers carefully. Get test units and make sure you’re going to be able to get all the features you need working before doing a full deployment. If your carrier doesn’t offer a configuration that meets your needs — or won’t work with you to get the tools you need to modify the configuration — then find someone who does.