[Security] TLS Certificates Verification
dave at cridland.net
Tue Aug 19 16:30:44 CDT 2008
On Tue Aug 19 22:19:31 2008, Jonathan Schleifer wrote:
> "Eric Rescorla" <ekr at rtfm.com> wrote:
> > There's something truly ironic about someone lobbying for an
> > new and unanalyzed cryptographic protocol suggesting that using
> > most widely implemented crypto protocol in the world would be
> > reinventing the wheel.
> There would be several changes needed as already stated on this
> list. And new XEPs would need to be created. XEPs for stuff for
> already XEPs exist. If that's not reinventing, I don't know.
Actually, the XTLS proposal in its current form consists of XEP-0246,
which is virtually all boilerplate, and just says "negotiate a XMPP
stream", and XEP-0247, which says "figure out a way to talk to each
other using Jingle, first".
So there's new stuff, sure, but it's not reinventing by any stretch -
this stuff can be used and reused in multiple ways, not just for
end-to-end authentication and privacy. In fact, XEP-0246 just
abstracts out that part of the link-local messaging we've had for
Inventing ESessions out of the blue most certainly *is* reinventing,
or at the very least was at the time. It's hard to suggest in any
reasonable way that ESessions is going to be as strong,
cryptographically, as TLS is; it's similarly hard to propose that the
implementations of it will be as hardened as the likes of OpenSSL.
Admittedly, it's painful throwing away that volume of work, but I
think it's the right choice here.
If the additional properties of ESessions are of interest, we could
of course work toward putting them into TLS - deniability in TLS
would be instantly applicable to any other protocol which needs it,
for instance. That might include SIP, I suppose.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Security