[Security] TLS Certificates Verification
Johansson Olle E
oej at edvina.net
Wed Aug 20 01:39:55 CDT 2008
19 aug 2008 kl. 21.02 skrev Justin Karneges:
> On Monday 18 August 2008 14:34:19 Eric Rescorla wrote:
>> I would encourage you to try to figure out what *style* of
>> you want and what the constraints are, and then ask what protocol
>> suits or can be made to best suit those needs.
> Eric has stressed this a few times now in the thread, and I wanted
> to throw in
> a "me too" here.
> Take a look at OTR. It is very popular, but this is most certainly
> due to its
> hassle-free user experience, *not* its security properties. Like
> OTR lacks scrutiny. Yet, users enjoy OTR because they are not
> bothered with
> public key maintenance, and any fingerprint checking can be easily
> The protocol itself is unimportant.
Well, there's an "OTR proxy" that actually is designed to be an man-in-
and be the endpoint, so that a server administrator can log in clear
The users still feel warm and happy though.
More information about the Security