[Security] TLS Certificates Verification

Jonathan Dickinson jonathanD at k2.com
Tue Aug 19 23:40:14 CDT 2008


> -----Original Message-----
> From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On
> Behalf Of Peter Saint-Andre
> Sent: Wednesday, August 20, 2008 6:32 AM
> To: XMPP Security
> Subject: Re: [Security] TLS Certificates Verification
>
> ...
> >
> > It is out-of-band. Hopefully more secure. Maybe SMSing or Emailing
> > the OTP could work just as well.
>
> I think it's a good idea to use different transports, but I question
> whether SMS or email is more secure than XMPP. I'd prefer the
> combination of XMPP and secure HTTP.

Although SMS is less secure, unencrypted, etc. it does allow us to prove possession. The perpetrator can hardly hack the poor guy if he doesn't have his cell phone. To make the transaction completely safe we would need implied identity, knowledge and possession (if I remember correctly). Maybe a secret question would be a good idea.

>
> /psa


More information about the Security mailing list