[Security] TLS Certificates Verification

Jonathan Schleifer js-xmpp-security at webkeks.org
Wed Aug 20 11:38:58 CDT 2008


"Eric Rescorla" <ekr at rtfm.com> wrote:

> I must be missing something here:
> 1. Key generation in DSA-based systems is just as fast as ephemeral
>     DH key generation, as long as you use a pregenerated group.
> 2. Key generation in RSA-based systems is slower, but still a matter
>     of a second or two on any reasonably modern system.

Oh, generating an OTR key takes a few seconds here, on my 450 MHz
NetBSD box it even took about an hour, because /dev/random is used
there. So waiting an hour on some systems is ok for the user? I really
don't think so…

> If you're going to use public key cryptography, you need to generate
> public keys.

That's why I'm AGAINST using public keys, we could use secrets, like it
can be done with ESessions.

-- 
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/a02a3448/attachment.pgp 


More information about the Security mailing list