[Security] TLS Certificates Verification

Jonathan Schleifer js-xmpp-security at webkeks.org
Wed Aug 20 11:23:26 CDT 2008


Dave Cridland <dave at cridland.net> wrote:

> In fact, I think certificates are actually the best approach,
> because they're better understood, the IPR impact is clearer, they
> provide a wide range of options for initial and subsequent
> authentication, and both users and developers are more exposed to
> them, hence more likely to accept and trust them. I think we have a
> solid base there from leap-of-faith to fingerprinting to work with.

I disagree. For the average user, they are the worst possible scenario.
They are scared by a long fingerprint or having to create a certificate
etc. Very scared! And it's not user friendly to have the user waiting
until a key is generated…

-- 
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/487b4b21/attachment.pgp 


More information about the Security mailing list