[Security] TLS Certificates Verification

Pedro Melo melo at simplicidade.org
Wed Aug 20 11:26:41 CDT 2008


(just joined the list so still catching up on archives, please forgive  
if I'm sending something you've discussed before)

On Aug 20, 2008, at 5:23 PM, Jonathan Schleifer wrote:

> Dave Cridland <dave at cridland.net> wrote:
>> In fact, I think certificates are actually the best approach,
>> because they're better understood, the IPR impact is clearer, they
>> provide a wide range of options for initial and subsequent
>> authentication, and both users and developers are more exposed to
>> them, hence more likely to accept and trust them. I think we have a
>> solid base there from leap-of-faith to fingerprinting to work with.
> I disagree. For the average user, they are the worst possible  
> scenario.
> They are scared by a long fingerprint or having to create a  
> certificate
> etc. Very scared! And it's not user friendly to have the user waiting
> until a key is generated…

For the average user, I liked this approach over self-signed  
certificates: http://mooseyard.com/Jens/2008/04/cloudy-verification/

I would use and be happy with a system like that.

This for human-to-human scenario.

Best regards,
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org

More information about the Security mailing list