[Security] TLS Certificates Verification

Dirk Meyer dmeyer at tzi.de
Tue Aug 19 12:12:19 CDT 2008


Jonathan Schleifer wrote:
> Am 19.08.2008 um 04:37 schrieb Peter Saint-Andre:
>
>> I think that obtaining a client certificate from the XMPP ICA would
>> be simpler than obtaining a server certificate. The process for
>> obtaining a server certificate is explained at https://www.xmpp.net/
>> (I'm offline right now and I don't remember the exact URL) -- it
>> involves requesting a website account at xmpp.net, website admin
>> approval based on access to one of the official email addresses or
>> one of the email addresses in the whois record, then logging into
>> the xmpp.net website to visit a "jump page" from which you can
>> finally access the CA site, etc. By contrast, I think that to obtain
>> a client certificate your client would act on your behalf to
>> interact in-band with an XMPP service at xmpp.net or maybe
>> xmpp.startcom.org, with little or no involvement by the user except
>> to click a big "please generate a security certificate for me"
>> button and probably visit a special URL provided in a message (which
>> message would probably be an x:data form that is specially handled
>> by the client, not a standard message with a human-readable body).
>
> Sorry, but not average user will do that, ever. Even most geeks won't
> do that due to lazyness.

If it is a simple "click" than user will use it, but it has no
value. I can create an account and name myself "Peter Saint-Andre".
After that I click on "create signature" and get a signature for
that. That is useless. A signature means: it is that person. So a
certification process has to be more complex and I agree with Jonathan
here: no average user will do that. It is much easier to get verified
by people you know than from a CA. So IMHO the CA idea is nice but not
usable.


Dirk

-- 
In a world of freedom, why do some people use windows and gates?


More information about the Security mailing list