[jdev] manifesto & DANE does not cut it

Ralf Skyper Kaiser skyper at thc.org
Tue Nov 19 16:21:03 UTC 2013


On Tue, Nov 19, 2013 at 2:12 PM, Ashley Ward <ashley.ward at surevine.com>wrote:

> On 19 Nov 2013, at 12:30, Ralf Skyper Kaiser <skyper at thc.org> wrote:
> > Pinning does not require any protocol change in its simplest form. It
> can be done with just minor changes on the client side.
>
> Agreed - in its simplest form you could use it on the c2s connection to
> ensure the server’s certificate hasn’t unexpectedly changed and there’s
> nothing to stop xmpp clients implementing it.


It would be nice to have this as an optional item in the manifesto (either
Pinning-light or full pinning) so that it is on the roadmap.


> But this is only a small part of it. XMPP is federated, so how does a user
> ensure that the ongoing s2s connection isn’t compromised?


I agree. But just because we do not have a solution for every security
problems shall we not stop developing a solution for any security problem.

[...]

I think we also need to be careful not to downplay DNSSEC and DANE too.
> They are infinitely better than most of what’s happening today, so saying
> things like "DANE does not cut it” could be disingenuous and may deter
> people from implementing anything because it’s not “perfect”.
>

I agree. DANE is an important step into the right direction.


regards.

ralf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131119/03efe430/attachment.html>


More information about the JDev mailing list