[Security] TLS Certificates Verification

Jonathan Dickinson jonathanD at k2.com
Wed Aug 20 04:24:06 CDT 2008

> -----Original Message-----
> From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On
> Behalf Of Dirk Meyer
> Sent: Wednesday, August 20, 2008 11:17 AM
> To: XMPP Security
> Subject: Re: [Security] TLS Certificates Verification
> Justin Karneges wrote:
> >...
> It should be optional. You can put your key on an USB stick or upload
> to the XMPP encrypted. That sounds like a very good idea to me. Adding
> very strong encryption here the user only has to remember the
> password. If he/she can not do that you are our of luck. But if that
> happens it is not that bad, you "only" have to re-key with all your
> friends again (and tell them that you are lazy and lost your key).

Great idea Dirk!!! I think the client MUST guide the user through installing the key on a thumbdrive. However, the wizard MUST NOT require the user to put the key on a thumbdrive. I usually lose my thumbdrive once every two weeks (_dime a dozen_), I would obviously take care of my XMPP one, but that means at times I don't have one lying around to just install a new key on. I know a couple of people who don't even know what a thumbdrive is (they also use gopher).

> > Extra points if there'd be a way to authenticate to your XMPP
> > account and retrieve your private key with a single password,
> > without the XMPP server being able to decrypt the private key.
> The XMPP password and the key password should be something completly
> different.
> Dirk
> --
> As long as there are ill-defined goals, bizarre bugs, and unrealistic
> schedules, there will be Real Programmers willing to jump in and Solve
> The Problem, saving the documentation for later.

More information about the Security mailing list