[Security] TLS Certificates Verification
Jonathan Schleifer
js-xmpp-security at webkeks.org
Mon Aug 18 09:20:04 CDT 2008
Am 18.08.2008 um 13:39 schrieb Dirk Meyer:
> Yes, that is solution 1 for this problem. Each user can get a
> certificate signed by the XMPP CA. But is that practical. I have not
> tried to get a signature for my XMPP server yet, but how hard is it?
> Every person who can use an IM client and register for an account
> should be able to get a signed certificate. IMHO usability is the main
> problem we have to keep in mind when trying to solve this.
It's impossible for the average user to get a certificate. Only geeks
will use encryption then. I still think we should pay the money needed
for a cryptanalysis for ESessions and use that - that's crypto even my
grandmother can use! All that hacky TLS for end-to-end stuff is more
than userunfriendly.
> Yes, a key-pair and self-sign to make any TLS library happy. After
> that we can create a web of trust outside the ssl library. I don't
> know if this will work, but it could.
Signing keys is nothing the average user will do. Never.
Do we want crypto for everyone or do we want crypto for geeks only?
I thought Jabber should be secure by default, this means we need
something WITHOUT certificates checking or signing. We need something
like a SAS etc.
Again: ESessions already provides this.
--
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
Url : http://mail.jabber.org/pipermail/security/attachments/20080818/ab1e6a27/attachment.pgp
More information about the Security
mailing list