[Security] TLS Certificates Verification
Jonathan Schleifer
js-xmpp-security at webkeks.org
Wed Aug 20 11:23:26 CDT 2008
Dave Cridland <dave at cridland.net> wrote:
> In fact, I think certificates are actually the best approach,
> because they're better understood, the IPR impact is clearer, they
> provide a wide range of options for initial and subsequent
> authentication, and both users and developers are more exposed to
> them, hence more likely to accept and trust them. I think we have a
> solid base there from leap-of-faith to fingerprinting to work with.
I disagree. For the average user, they are the worst possible scenario.
They are scared by a long fingerprint or having to create a certificate
etc. Very scared! And it's not user friendly to have the user waiting
until a key is generated…
--
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/487b4b21/attachment.pgp
More information about the Security
mailing list