[Security] TLS Certificates Verification

Peter Saint-Andre stpeter at stpeter.im
Tue Aug 19 16:08:02 CDT 2008


Dirk Meyer wrote:
> Jonathan Schleifer wrote:
>> Am 19.08.2008 um 04:37 schrieb Peter Saint-Andre:
>>
>>> I think that obtaining a client certificate from the XMPP ICA would
>>> be simpler than obtaining a server certificate. The process for
>>> obtaining a server certificate is explained at https://www.xmpp.net/
>>> (I'm offline right now and I don't remember the exact URL) -- it
>>> involves requesting a website account at xmpp.net, website admin
>>> approval based on access to one of the official email addresses or
>>> one of the email addresses in the whois record, then logging into
>>> the xmpp.net website to visit a "jump page" from which you can
>>> finally access the CA site, etc. By contrast, I think that to obtain
>>> a client certificate your client would act on your behalf to
>>> interact in-band with an XMPP service at xmpp.net or maybe
>>> xmpp.startcom.org, with little or no involvement by the user except
>>> to click a big "please generate a security certificate for me"
>>> button and probably visit a special URL provided in a message (which
>>> message would probably be an x:data form that is specially handled
>>> by the client, not a standard message with a human-readable body).
>> Sorry, but not average user will do that, ever. Even most geeks won't
>> do that due to lazyness.
> 
> If it is a simple "click" than user will use it, but it has no
> value. I can create an account and name myself "Peter Saint-Andre".
> After that I click on "create signature" and get a signature for
> that. That is useless. A signature means: it is that person. So a
> certification process has to be more complex and I agree with Jonathan
> here: no average user will do that. It is much easier to get verified
> by people you know than from a CA. So IMHO the CA idea is nice but not
> usable.

This would be a Class 1, XMPP-only cert. Class 1 certs don't have a 
personal name in them (you need to upgrade to Class 2 for that and 
provide two GIPIDs and all that), all they say is "this cert goes with 
this JID".

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080819/b519b4f4/attachment-0001.bin 


More information about the Security mailing list