[Security] TLS Certificates Verification

Jonathan Dickinson jonathanD at k2.com
Wed Aug 20 12:26:29 CDT 2008

> -----Original Message-----
> From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On
> Behalf Of Peter Saint-Andre
> Sent: Wednesday, August 20, 2008 7:19 PM
> To: XMPP Security
> Subject: Re: [Security] TLS Certificates Verification
> ...
> As mentioned, the estimates I received indicated that a full
> cryptanalysis for ESessions would cost between $100,000 and $200,000.
> That's not exactly chump change.
> Feel free to raise that money yourself, but until we have some kind of
> closure to these discussions, I am not about to approach *anyone* for
> money. And given that I have slowly come to see the logic of using
> TLS-over-XMPP, I am not enthusiastic about raising large sums of money
> for an ESessions cryptanalysis. And presumably anyone who might fork
> over $100k-$200k would do some due diligence, read these discussion
> threads and the relevant specs, and ask why we're not just using
> TLS-over-XMPP.

I was hoping someone else would latch onto that, I didn't really want to shoot down Jonathan's ideas. To me ESessions is a great idea, it's just that it will potentially take a while to get cryptananlysed and so on. Maybe if we just kept it on the back burner for now and concentrated on solutions besides it.

This thread kinda reminds me of the good ol' days when I suggested binary XML ;).

Maybe if everyone threw their suggestions into the thread right now (mentioned or not) so that we can all look at the options in front of us?

> /psa

More information about the Security mailing list