[Security] TLS Certificates Verification

Peter Saint-Andre stpeter at stpeter.im
Wed Aug 20 12:18:47 CDT 2008


Jonathan Dickinson wrote:
>> -----Original Message-----
>> From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On
>> Behalf Of Jonathan Schleifer
>> Sent: Wednesday, August 20, 2008 7:04 PM
>> To: security at xmpp.org
>> Subject: Re: [Security] TLS Certificates Verification
>>
>> None, that's why I suggested to contact Google or another premium
>> sponsor if they could sponsor an analysis. None of the sponsors has
>> been contacted for that yet.

It's always easy to spend other people's money, isn't it?

As mentioned, the estimates I received indicated that a full 
cryptanalysis for ESessions would cost between $100,000 and $200,000. 
That's not exactly chump change.

Feel free to raise that money yourself, but until we have some kind of 
closure to these discussions, I am not about to approach *anyone* for 
money. And given that I have slowly come to see the logic of using 
TLS-over-XMPP, I am not enthusiastic about raising large sums of money 
for an ESessions cryptanalysis. And presumably anyone who might fork 
over $100k-$200k would do some due diligence, read these discussion 
threads and the relevant specs, and ask why we're not just using 
TLS-over-XMPP.

> Good suggestion. Seeing as Google is one of the sponsors I don't see why they wouldn't.

I can think of one huge reason why they wouldn't, but I would prefer to 
stay away from discussions of Layer 8 and Layer 9. :)

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/security/attachments/20080820/28201bc4/attachment-0001.bin 


More information about the Security mailing list