[Security] TLS Certificates Verification

Dirk Meyer dmeyer at tzi.de
Wed Aug 20 04:16:46 CDT 2008

Justin Karneges wrote:
> On Tuesday 19 August 2008 14:50:42 Dirk Meyer wrote:
>> The question we had (and that is the reason I started the discussion) is:
>> how to verify the TLS certificates.
> A related topic I want to talk about is private key maintenance.  I don't 
> think average users will be able to maintain private keys.  Users will easily 
> lose their keys, forget to transfer them when buying new computers, create 
> multiple keys (by accident, or not) if they regularly use XMPP from multiple 
> computers, etc.  Losing or leaving around private keys, and being unaware 
> that you even have them, seems very dangerous to me.
> One idea that I've kicked around, which can't possibly be new and I haven't 
> evaluated the security risks of, is optionally storing a password-protected 
> private key on the XMPP server. 

I had the same idea while catching up this thread and I like it.

> It may sound like a terrible idea for those of us capable of private
> key maintenance, but for the average person who might otherwise
> leave a trail of private keys on random computers it may be
> preferable...

It should be optional. You can put your key on an USB stick or upload
to the XMPP encrypted. That sounds like a very good idea to me. Adding
very strong encryption here the user only has to remember the
password. If he/she can not do that you are our of luck. But if that
happens it is not that bad, you "only" have to re-key with all your
friends again (and tell them that you are lazy and lost your key).

> Extra points if there'd be a way to authenticate to your XMPP
> account and retrieve your private key with a single password,
> without the XMPP server being able to decrypt the private key.

The XMPP password and the key password should be something completly


As long as there are ill-defined goals, bizarre bugs, and unrealistic 
schedules, there will be Real Programmers willing to jump in and Solve 
The Problem, saving the documentation for later.

More information about the Security mailing list