[Security] TLS Certificates Verification

Justin Karneges justin at affinix.com
Tue Aug 19 15:30:46 CDT 2008


On Tuesday 19 August 2008 12:06:50 Jonathan Dickinson wrote:
> Very good point Justin. Even if we implement SRP chances are that you could
> get a few lazy developers that don't quit on the documented failure points.
> Something simple to implement (I am going to read up on OTR now :)) may be
> a good solution.

No, no.  To be clear, I'm not recommending OTR.  I'm sure Ian Goldberg is a 
great guy, but OTR hasn't been put through the wringer like TLS has been.

OTR was invented for the deniability feature.  However, I argue that OTR is 
popular today due to its usability, not due to deniability (or any of its 
security features for that matter).  Ian wanted deniability and hassle-free 
crypto, but the users of the world really only wanted hassle-free crypto.  
OTR therefore meets the needs of the users, but the fact is, the users didn't 
need a brand new protocol in order for their needs to be met.  OTR could just 
as well have been based on TLS instead of its own protocol, and it would have 
been just as popular.

-Justin


More information about the Security mailing list