When a host is installed, it generates its certificate that can be used to verify the identity of the host. This replaced the older scheme of shared secrets that needed to be set up on both the host and the viewer. However, it seems that this new certificate-based approach does not take into consideration the callback connections. I was just setting up another callback host now and took the precaution to copy its certificate, but it was never needed - I was able to accept the callback connection with no requirements at all, and the moment I entered the shared key I was able to connect. But if it weren't for the fact that the two computers were sitting next to each other on my table, I would have ZERO information on the identity of either. So what's the purpose of the Host certificate if it isn't used to identify the host? Should someone replace my host with a fake one, how would I ever know that the change occurred? I would expect that the viewer would display the server's certificate, ask me whether it is correct, and then it would save it in the host list and warn me if the certificate ever changes.
Also, I would expect my viewer to also have a certificate and I would expect it to get checked by the hosts before they allow the callback connection to be used to control them. Currently, if someone replaced my Viewer machine with their own, the hosts would not be able to detect that and would happily allow an intruder to control them (assuming that the intruder knew the password, but that's not too difficult).
(Incidentally, it would be great if *I* could generate the certificates using my CA and setup my CA as a source for trusted certificates. But that's a nice-to-have, first I need to resolve the identities using the RU's default method.)