[Security] TLS Certificates Verification

Jonathan Schleifer js-xmpp-security at webkeks.org
Wed Aug 20 12:03:35 CDT 2008


Dave Cridland <dave at cridland.net> wrote:

> Well, I strongly suspect that's extreme. A few seconds pause at  
> runtime would be a little annoying, but given you'd presumably do  
> this during either the installation or setup phase, I'm not entirely  
> clear what your point is anyway.

It's because /dev/random was used instead of /dev/urandom. But this
gives better results for the generated key, of course.

> It's certainly true that on old hardware, or mobile handsets,  
> generating an RSA key will take a while, albeit it typically not an  
> hour. But we can also arrange for standard methods for transferring  
> the private key to other devices, and for actual devices (in the  
> sense that Dirk Meyer wants to deal with) the key can be
> pregenerated by the hardware manufacturer, like is done with the
> iPhone.

I wouldn't trust the manufacturer for that. I really wouldn't.

> Or TLS, of course.
> 
> But humour me for a moment:
> 
> What makes ESessions such a win against TLS?

It's already implemented and working :).

> Why would my customers be happier with ESessions over TLS?

No need to have keys etc. Yes, I know, you can have that with TLS, but
it seems everybody here thinks "If TLS, then public keys!".

> What analysis can I show them?

None, that's why I suggested to contact Google or another premium
sponsor if they could sponsor an analysis. None of the sponsors has
been contacted for that yet.

> What IPR issues affect ESessions that I need to warn them about?

I'm not aware of any :).

-- 
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/72b2c6c1/attachment.pgp 


More information about the Security mailing list