[Security] TLS Certificates Verification

Jonathan Schleifer js-xmpp-security at webkeks.org
Mon Aug 18 09:20:04 CDT 2008


Am 18.08.2008 um 13:39 schrieb Dirk Meyer:

> Yes, that is solution 1 for this problem. Each user can get a
> certificate signed by the XMPP CA. But is that practical. I have not
> tried to get a signature for my XMPP server yet, but how hard is it?
> Every person who can use an IM client and register for an account
> should be able to get a signed certificate. IMHO usability is the main
> problem we have to keep in mind when trying to solve this.

It's impossible for the average user to get a certificate. Only geeks  
will use encryption then. I still think we should pay the money needed  
for a cryptanalysis for ESessions and use that - that's crypto even my  
grandmother can use! All that hacky TLS for end-to-end stuff is more  
than userunfriendly.

> Yes, a key-pair and self-sign to make any TLS library happy. After
> that we can create a web of trust outside the ssl library. I don't
> know if this will work, but it could.

Signing keys is nothing the average user will do. Never.
Do we want crypto for everyone or do we want crypto for geeks only?
I thought Jabber should be secure by default, this means we need  
something WITHOUT certificates checking or signing. We need something  
like a SAS etc.
Again: ESessions already provides this.

--
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
Url : http://mail.jabber.org/pipermail/security/attachments/20080818/ab1e6a27/attachment.pgp 


More information about the Security mailing list