[Security] TLS Certificates Verification
js-xmpp-security at webkeks.org
Wed Aug 20 12:03:35 CDT 2008
Dave Cridland <dave at cridland.net> wrote:
> Well, I strongly suspect that's extreme. A few seconds pause at
> runtime would be a little annoying, but given you'd presumably do
> this during either the installation or setup phase, I'm not entirely
> clear what your point is anyway.
It's because /dev/random was used instead of /dev/urandom. But this
gives better results for the generated key, of course.
> It's certainly true that on old hardware, or mobile handsets,
> generating an RSA key will take a while, albeit it typically not an
> hour. But we can also arrange for standard methods for transferring
> the private key to other devices, and for actual devices (in the
> sense that Dirk Meyer wants to deal with) the key can be
> pregenerated by the hardware manufacturer, like is done with the
I wouldn't trust the manufacturer for that. I really wouldn't.
> Or TLS, of course.
> But humour me for a moment:
> What makes ESessions such a win against TLS?
It's already implemented and working :).
> Why would my customers be happier with ESessions over TLS?
No need to have keys etc. Yes, I know, you can have that with TLS, but
it seems everybody here thinks "If TLS, then public keys!".
> What analysis can I show them?
None, that's why I suggested to contact Google or another premium
sponsor if they could sponsor an analysis. None of the sponsors has
been contacted for that yet.
> What IPR issues affect ESessions that I need to warn them about?
I'm not aware of any :).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/72b2c6c1/attachment.pgp
More information about the Security