[Security] TLS Certificates Verification
dave at cridland.net
Wed Aug 20 11:07:29 CDT 2008
On Wed Aug 20 16:09:05 2008, Jonathan Schleifer wrote:
> Peter Saint-Andre <stpeter at stpeter.im> wrote:
> > Please do some research about TLS. It is not limited to using keys
> > (e.g., read RFC 5054).
> Then why are we only talking about keys and verifiying keys here,
> not about secrets and verifiying secrets?
We're not, always.
Ekr, for instance, has been talking in terms of PAKE, a shared
secret, and session resumption, in a pretty convincing way. So
convincing, in fact, one could be forgiven for thinking he knew a
thing or two about this stuff.
In fact, I think certificates are actually the best approach, because
they're better understood, the IPR impact is clearer, they provide a
wide range of options for initial and subsequent authentication, and
both users and developers are more exposed to them, hence more likely
to accept and trust them. I think we have a solid base there from
leap-of-faith to fingerprinting to work with.
Technically speaking, Ekr's suggestion is probably the better one,
but I think it's not so much better that the benefits outweigh the
political and usability advantages of self-signed certificates.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Security