[Security] TLS Certificates Verification

Dirk Meyer dmeyer at tzi.de
Mon Aug 18 14:25:08 CDT 2008


Jonathan Schleifer wrote:
> "Eric Rescorla" <ekr at rtfm.com> wrote:
>
>> They will if the software just does it.
>
> So the software automatically signs people I talk to? I also talk to
> people whom I don't trust. This is a bad idea. Really bad.

No, the software will sign your own key on creation, that's all. And
the signature is bogus, it is only there to make TLS happy.

> Having a short, 5 digits long SAS is far more userfriendly than having
> a full fingerprint. 

Without fully understanding SAS, a 5 digest something sounds much
better than a fingerprint. Small question to anyone: who checks the
fingerprint openssh prints out when you first connect to a new
machine? I don't.


Dirk

-- 
Paranoid Club meeting this Friday.  Now ... just try to find out where!


More information about the Security mailing list