[Security] TLS Certificates Verification
justin at affinix.com
Tue Aug 19 14:02:44 CDT 2008
On Monday 18 August 2008 14:34:19 Eric Rescorla wrote:
> I would encourage you to try to figure out what *style* of authentication
> you want and what the constraints are, and then ask what protocol best
> suits or can be made to best suit those needs.
Eric has stressed this a few times now in the thread, and I wanted to throw in
a "me too" here.
Take a look at OTR. It is very popular, but this is most certainly due to its
hassle-free user experience, *not* its security properties. Like Esessions,
OTR lacks scrutiny. Yet, users enjoy OTR because they are not bothered with
public key maintenance, and any fingerprint checking can be easily skipped.
The protocol itself is unimportant.
It is our responsibility to look out for our users (and to some extent,
ignorant application developers). This means choosing protocols and
algorithms that are trustworthy. If we can meet a desired user experience
both via a trustworthy approach and an untrustworthy approach, which one do
you think we should recommend? (this is a rhetorical question)
More information about the Security