[Security] TLS Certificates Verification

Peter Saint-Andre stpeter at stpeter.im
Mon Aug 18 16:21:28 CDT 2008


Jonathan Schleifer wrote:
> Am 18.08.2008 um 21:22 schrieb Dirk Meyer:
> 
>> That is not an option for me. I want bots to talk to each other. They
>> can not use the phone.
> 
> That's why for example ESessions doesn't only provide SAS, but also 
> using public keys. It does not need to use public keys, but it can. This 
> is indeed *VERY* nice as there's no need to generate a key then.
> 
> I still think that ESessions is *THE* solution for encrypted IM.

Except that it's an unanalyzed technology. TLS has undergone years and 
years of analysis and hardening. I like the ideas behind ESessions and 
real security folks who've glanced at it seem to think it's not entirely 
dodgy, but that doesn't mean it would withstand a full security analysis.

Plus using TLS enables us to re-use code for the client-to-server, 
server-to-server, link-local, and end-to-end scenarios. I consider that 
a good thing.

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080818/5a630e4e/attachment.bin 


More information about the Security mailing list