[Security] TLS Certificates Verification

Dave Cridland dave at cridland.net
Tue Aug 19 12:48:14 CDT 2008


On Tue Aug 19 18:33:53 2008, Eric Rescorla wrote:
> Actually, this is a lot more complicated than it has to be. TLS has  
> two
> features that make this trivial to do and that don't rely on  
> certificates
> 
> 1. A PAKE mode (SRP)[0]

I see how this works, but you're asking for quite a bit of less than  
usual TLS magic involved.

Could we use a simple, channel-binding, shared-secret based SASL  
mechanism?

I've the thought in my head that we could make this essentially the  
same as Bluetooth keying, using the channel binding to "learn" the  
certificates.

That ought to be using essentially out-of-the-box bits of software,  
whereas I'm not so sure that SRP quite ranks there yet, and may well  
not for a long while.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade


More information about the Security mailing list