[Security] TLS Certificates Verification

Dirk Meyer dmeyer at tzi.de
Tue Aug 19 11:50:29 CDT 2008


Jonathan Schleifer wrote:
> Dirk Meyer <dmeyer at tzi.de> wrote:
>
>> No, it is missing the one thing we also need for TLS: how to verify a
>> public key? Let's say I have two bots. They discover each other and
>> open an ESession. Bots can not use secrets (I do not want to configure
>> a secret for each possible bot-bot combination). So we have public
>> keys. Now I have the same problem I have with TLS: is this the correct
>> public key. Maybe I (as user) signed the bot keys (in a user friedly
>> way like click "add as my bot"). How to verify the signature? I want
>> to avoid setting up a CA. I need an answer to that question or
>> ESession are as useless as TLS.
>
> As bots are not people who might be afraid to verify a key or get a
> certificate, they could use a certificate issued by a CA. :)

Use case: I want to connect my media network using XMPP. I have a
set-top box (bot) and a mobile phone I want to use to control the
set-top box. Should I use a CA? Not a good idea.


Dirk

-- 
The only problem with mornings is that they happen too early in the
day.


More information about the Security mailing list