[jdev] manifesto & DANE does not cut it
stpeter at stpeter.im
Tue Nov 19 16:25:01 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 11/19/13 9:21 AM, Ralf Skyper Kaiser wrote:
> On Tue, Nov 19, 2013 at 2:12 PM, Ashley Ward
> <ashley.ward at surevine.com <mailto:ashley.ward at surevine.com>>
> On 19 Nov 2013, at 12:30, Ralf Skyper Kaiser <skyper at thc.org
> <mailto:skyper at thc.org>> wrote:
>> Pinning does not require any protocol change in its simplest
> It can be done with just minor changes on the client side.
> Agreed - in its simplest form you could use it on the c2s
> connection to ensure the server?s certificate hasn?t unexpectedly
> changed and there?s nothing to stop xmpp clients implementing it.
> It would be nice to have this as an optional item in the manifesto
> (either Pinning-light or full pinning) so that it is on the
> But this is only a small part of it. XMPP is federated, so how
> does a user ensure that the ongoing s2s connection isn?t
> I agree. But just because we do not have a solution for every
> security problems shall we not stop developing a solution for any
> security problem.
> I think we also need to be careful not to downplay DNSSEC and DANE
> too. They are infinitely better than most of what?s happening
> today, so saying things like "DANE does not cut it? could be
> disingenuous and may deter people from implementing anything
> because it?s not ?perfect?.
> I agree. DANE is an important step into the right direction.
And progress is being made (with many thanks to Thijs for the code
running at the IM Observatory!):
BTW, I have not read this thread because I am ultra-busy with work at
my day job. I hope to catch up later this week.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the JDev