[Security] TLS Certificates Verification - certificate and private key clarification

Jonathan Dickinson jonathanD at k2.com
Wed Aug 20 01:59:52 CDT 2008


This may be a really stupid idea. Any way we could use Kerberos?


> -----Original Message-----
> From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On
> Behalf Of Johansson Olle E
> Sent: Wednesday, August 20, 2008 8:51 AM
> To: XMPP Security
> Subject: Re: [Security] TLS Certificates Verification - certificate and
> private key clarification
>
>
> 20 aug 2008 kl. 02.10 skrev Florian Zeitz:
>
> > Another issue with certificates in general (that Justin Karneges
> > already
> > brought up) is that there should be only one certificate per JID.
> That
> > means you have to get this certificate to all machines you use that
> > account with. One solution would be to store the certificate on the
> > server (doesn't really sound like a good idea). The other would be to
> > leave it to the user to transfer the certificate from machine to
> > machine, which probably falls in to the "to hard" category.
>
> This is no issue with the certificate. I think you're mixing the
> certificate
> and the private key. The private key is needed on all systems, as is
> the public key. The certificate is a signed wrapper around the public
> key and can be distributed freely.
>
> You don't want a third party like your server to store the private key.
> (remember WAP security ;-) )
>
> Just a small clarification.
>
> We do need to start the wiki docs :-)
> /O


More information about the Security mailing list