[Security] TLS Certificates Verification

Dirk Meyer dmeyer at tzi.de
Tue Aug 19 10:56:42 CDT 2008


Jonathan Schleifer wrote:
> Am 18.08.2008 um 23:34 schrieb Eric Rescorla:
>
>> (2) What protocol it's embodied in.
>
> Well, what I don't understand: We already have ESessions. Why do we
> need another protocol now? ESessions offers nearly everything you can
> think of. It offers public keys, but you can also use secrets instead
> of public/private keys. It offers SAS, but also fingerprints. It
> allows a variety of algorithms etc.
>
> IMO, it offers all we need.

No, it is missing the one thing we also need for TLS: how to verify a
public key? Let's say I have two bots. They discover each other and
open an ESession. Bots can not use secrets (I do not want to configure
a secret for each possible bot-bot combination). So we have public
keys. Now I have the same problem I have with TLS: is this the correct
public key. Maybe I (as user) signed the bot keys (in a user friedly
way like click "add as my bot"). How to verify the signature? I want
to avoid setting up a CA. I need an answer to that question or
ESession are as useless as TLS.


Dirk

-- 
++?????++ Out of Cheese Error. Redo From Start.
        -- (Terry Pratchett, Interesting Times)


More information about the Security mailing list