[Security] TLS Certificates Verification

Jonathan Schleifer js-xmpp-security at webkeks.org
Mon Aug 18 09:42:46 CDT 2008


"Eric Rescorla" <ekr at rtfm.com> wrote:

> They will if the software just does it.

So the software automatically signs people I talk to? I also talk to
people whom I don't trust. This is a bad idea. Really bad.

> I must say, I find SAS fairly user unfriendly as well. At least with a
> fingerprint
> type mechanism I can go out of band to someone's web site and check
> the fingerprint. With SAS, I have to actually call them on the phone.

Having a short, 5 digits long SAS is far more userfriendly than having
a full fingerprint. Calling is also an extra security thing. You
*HEAR* that it's the person you want to talk to.

-- 
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080818/f5bcc001/attachment.pgp 


More information about the Security mailing list