[Security] TLS Certificates Verification
stpeter at stpeter.im
Tue Aug 19 16:30:11 CDT 2008
Justin Karneges wrote:
> On Tuesday 19 August 2008 12:06:50 Jonathan Dickinson wrote:
>> Very good point Justin. Even if we implement SRP chances are that you could
>> get a few lazy developers that don't quit on the documented failure points.
>> Something simple to implement (I am going to read up on OTR now :)) may be
>> a good solution.
> No, no. To be clear, I'm not recommending OTR. I'm sure Ian Goldberg is a
> great guy, but OTR hasn't been put through the wringer like TLS has been.
> OTR was invented for the deniability feature. However, I argue that OTR is
> popular today due to its usability, not due to deniability (or any of its
> security features for that matter). Ian wanted deniability and hassle-free
> crypto, but the users of the world really only wanted hassle-free crypto.
> OTR therefore meets the needs of the users, but the fact is, the users didn't
> need a brand new protocol in order for their needs to be met. OTR could just
> as well have been based on TLS instead of its own protocol, and it would have
> been just as popular.
I also assert that deniability is not necessarily desirable (it depends
on the requirements for the system under consideration, and I've talked
to "customers" of XMPP who positively cannot have deniability). I also
assert that cryptographic deniability is useless in the real world
anyway, but that's a separate topic.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080819/3334d3a0/attachment-0001.bin
More information about the Security