[Security] TLS Certificates Verification

Dave Cridland dave at cridland.net
Tue Aug 19 16:30:44 CDT 2008

On Tue Aug 19 22:19:31 2008, Jonathan Schleifer wrote:
> "Eric Rescorla" <ekr at rtfm.com> wrote:
> > There's something truly ironic about someone lobbying for an  
> entirely
> > new and unanalyzed cryptographic protocol suggesting that using  
> the
> > most widely implemented crypto protocol in the world would be
> > reinventing the wheel.
> There would be several changes needed as already stated on this
> list. And new XEPs would need to be created. XEPs for stuff for  
> which
> already XEPs exist. If that's not reinventing, I don't know.

Actually, the XTLS proposal in its current form consists of XEP-0246,  
which is virtually all boilerplate, and just says "negotiate a XMPP  
stream", and XEP-0247, which says "figure out a way to talk to each  
other using Jingle, first".

So there's new stuff, sure, but it's not reinventing by any stretch -  
this stuff can be used and reused in multiple ways, not just for  
end-to-end authentication and privacy. In fact, XEP-0246 just  
abstracts out that part of the link-local messaging we've had for  

Inventing ESessions out of the blue most certainly *is* reinventing,  
or at the very least was at the time. It's hard to suggest in any  
reasonable way that ESessions is going to be as strong,  
cryptographically, as TLS is; it's similarly hard to propose that the  
implementations of it will be as hardened as the likes of OpenSSL.

Admittedly, it's painful throwing away that volume of work, but I  
think it's the right choice here.

If the additional properties of ESessions are of interest, we could  
of course work toward putting them into TLS - deniability in TLS  
would be instantly applicable to any other protocol which needs it,  
for instance. That might include SIP, I suppose.

Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Security mailing list