[Security] TLS Certificates Verification

Eric Rescorla ekr at rtfm.com
Tue Aug 19 12:48:25 CDT 2008


On Tue, Aug 19, 2008 at 10:41 AM, Jonathan Schleifer
<js-xmpp-security at webkeks.org> wrote:
> Another problem that came to mind was:
>
> Every client needs its own key. How to do that on mobile devices? Could
> be difficult to get a cert from a CA there.

I certainly agree that this is a problem, but I don't think anyone is
suggesting that.
I had always assumed that if you were in a cert-based system like TLS, the
clients would generate self-signed certs purely for use as a key transport
mechanism (see DTLS-SRTP as an example of a system that does this.)

-Ekr


More information about the Security mailing list