[Security] TLS Certificates Verification

Jonathan Schleifer js-xmpp-security at webkeks.org
Tue Aug 19 10:59:46 CDT 2008


Dirk Meyer <dmeyer at tzi.de> wrote:

> No, it is missing the one thing we also need for TLS: how to verify a
> public key? Let's say I have two bots. They discover each other and
> open an ESession. Bots can not use secrets (I do not want to configure
> a secret for each possible bot-bot combination). So we have public
> keys. Now I have the same problem I have with TLS: is this the correct
> public key. Maybe I (as user) signed the bot keys (in a user friedly
> way like click "add as my bot"). How to verify the signature? I want
> to avoid setting up a CA. I need an answer to that question or
> ESession are as useless as TLS.

As bots are not people who might be afraid to verify a key or get a
certificate, they could use a certificate issued by a CA. :)

We have to differentiate between bot communication and human
communication. What is acceptable for human communication maybe isn't
for bot communication, what is acceptable for bot communication maybe
isn't acceptable for human communication. Thus, it's a good thing
ESessions offer both.

-- 
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080819/29ab1efc/attachment.pgp 


More information about the Security mailing list