[Security] TLS Certificates Verification

Justin Karneges justin at affinix.com
Tue Aug 19 17:52:21 CDT 2008


On Tuesday 19 August 2008 14:50:42 Dirk Meyer wrote:
> The question we had (and that is the reason I started the discussion) is:
> how to verify the TLS certificates.

A related topic I want to talk about is private key maintenance.  I don't 
think average users will be able to maintain private keys.  Users will easily 
lose their keys, forget to transfer them when buying new computers, create 
multiple keys (by accident, or not) if they regularly use XMPP from multiple 
computers, etc.  Losing or leaving around private keys, and being unaware 
that you even have them, seems very dangerous to me.

At minimum we should probably encourage password-protecting the private keys, 
although that means yet-another-password for the user to remember...  (anyone 
know if Pidgin-OTR password-protects its private keys?)

One idea that I've kicked around, which can't possibly be new and I haven't 
evaluated the security risks of, is optionally storing a password-protected 
private key on the XMPP server.  It may sound like a terrible idea for those 
of us capable of private key maintenance, but for the average person who 
might otherwise leave a trail of private keys on random computers it may be 
preferable...

Extra points if there'd be a way to authenticate to your XMPP account and 
retrieve your private key with a single password, without the XMPP server 
being able to decrypt the private key.

-Justin


More information about the Security mailing list