[Security] TLS Certificates Verification

Peter Saint-Andre stpeter at stpeter.im
Tue Aug 19 09:26:46 CDT 2008

Jonathan Schleifer wrote:
> Am 18.08.2008 um 23:27 schrieb Peter Saint-Andre:
>> AFAICS, TLS enables us to use PGP keys (experimental, not yet 
>> supported in all TLS libraries), CA-issued certs, and self-signed 
>> certs (leap of faith). There's no SAS support in TLS yet but that 
>> might be developed down the line because, as discussed on the TLS list 
>> recently, members of the SIP community (and others) are interested in 
>> that feature.
> That still means no implementation has it, thus the advantage of being 
> able to just use one of the TLS implementations is gone. So we could as 
> well try to get a cryptanalysis for ESessions for a cheap price and use 
> Brandan Taylors implementation, for which he already offered to port it 
> to C so others can use it with nearly no afford at all.

The estimates I received for completing a professional cryptanalysis for 
ESessions implied that it would cost the XSF $100k to $200k (i.e., about 
six weeks of effort at expected rates for such work). We don't have that 
kind of money and it would not be easy to raise that kind of money. And 
trying to get this done "for a cheap price" might mean that we're not 
getting a reliable cryptanalysis. Even getting this done for $50k would 
be a stretch financially and I'd be spending more time raising money 
than doing real work. I'm sure there are grants we could seek, etc., but 
I have not yet spent the time to research that in depth yet.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080819/f9571eca/attachment.bin 

More information about the Security mailing list