[Security] TLS Certificates Verification
Peter Saint-Andre
stpeter at stpeter.im
Tue Aug 19 09:26:46 CDT 2008
Jonathan Schleifer wrote:
> Am 18.08.2008 um 23:27 schrieb Peter Saint-Andre:
>
>> AFAICS, TLS enables us to use PGP keys (experimental, not yet
>> supported in all TLS libraries), CA-issued certs, and self-signed
>> certs (leap of faith). There's no SAS support in TLS yet but that
>> might be developed down the line because, as discussed on the TLS list
>> recently, members of the SIP community (and others) are interested in
>> that feature.
>
> That still means no implementation has it, thus the advantage of being
> able to just use one of the TLS implementations is gone. So we could as
> well try to get a cryptanalysis for ESessions for a cheap price and use
> Brandan Taylors implementation, for which he already offered to port it
> to C so others can use it with nearly no afford at all.
The estimates I received for completing a professional cryptanalysis for
ESessions implied that it would cost the XSF $100k to $200k (i.e., about
six weeks of effort at expected rates for such work). We don't have that
kind of money and it would not be easy to raise that kind of money. And
trying to get this done "for a cheap price" might mean that we're not
getting a reliable cryptanalysis. Even getting this done for $50k would
be a stretch financially and I'd be spending more time raising money
than doing real work. I'm sure there are grants we could seek, etc., but
I have not yet spent the time to research that in depth yet.
/psa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080819/f9571eca/attachment.bin
More information about the Security
mailing list