[Security] TLS Certificates Verification

Jonathan Schleifer js-xmpp-security at webkeks.org
Tue Aug 19 08:16:43 CDT 2008


Am 19.08.2008 um 14:20 schrieb Eric Rescorla

> And of course, this library will be totally perfect, not need any  
> maintenance,
> etc.

It's a *huge* difference if someone who doesn't have an idea about  
crypto tries to implement it using OpenSSL in some Jabber client or if  
they use a library that is ready to use, written by some people who  
know much about cryptography. It's like you tell a database programmer  
who never did anything with graphics to write a 3D engine.

> I'm certainly sensitive to the complaint that libraries like OpenSSL
> give the programmer
> too much freedom, but that seems to me to be primarily an issue of  
> providing an
> appropriate wrapper API. I don't see that that motivates designing an
> entirely new
> protocol which must then be maintained, and also requires a new  
> implementation
> that must itself be maintained. This has proven to be a significant  
> amount of
> work for all the COMSEC protocols of which I am aware, and given  
> that XSF's
> expertise isn't primarily in COMSEC, I don't see any reason to  
> expect that its
> experience would be different.

Sure, we could have something like libxmpptls.

--
Jonathan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
Url : http://mail.jabber.org/pipermail/security/attachments/20080819/6fa236f0/attachment.pgp 


More information about the Security mailing list