[Security] TLS Certificates Verification

Dave Cridland dave at cridland.net
Wed Aug 20 05:58:30 CDT 2008

On Wed Aug 20 11:22:46 2008, Jonathan Dickinson wrote:
> You could also use SASL External...
This is quite sensible, although unrelated, if you're suggesting what  
I think you might be.

If the client has a TLS certificate, which it can do either by  
provisioning through a CA or by simply generating a self-signed one,  
then we can use the authentication with the server to bootstrap it  
there, in which case the client needn't record the password at all,  
which is nice.

Nothing to do with the problem at hand, but quite interesting.

> How about involving resources. This way the recipient would know  
> not only know who the message came from, but where (great for  
> bots). They could be used for further entropy of encryption or  
> something if used in a hash. I am not sure how it would work out,  
> but if we could get it right it would be pretty neat :P.

I have no idea what you're talking about here, however.

Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Security mailing list